This International Data Transfer Agreement ("IDTA") is entered into as Appendix D to the Sales Agreement between Breakout Learning ("Processor") and the Purchaser ("Controller"), where the Data Exporter is subject to the UK General Data Protection Regulation ("UK GDPR").

This IDTA ensures that the international transfer of personal data from the United Kingdom to the United States is carried out in compliance with UK GDPR.

1. Scope and Incorporation

This IDTA is based on the UK Information Commissioner's Office (ICO) template and incorporates the European Commission's Standard Contractual Clauses ("SCCs") for international transfers (2021), including Module Two (controller-to-processor), adapted for transfers subject to the UK GDPR.

2. Parties

• Data Exporter (Controller): The Purchaser as identified in the Sales Agreement
• Data Importer (Processor): Breakout Learning, Inc., 701 Brazos St, Austin, TX, USA

3. Description of the Transfer

• Data Subjects: Students, instructors, and educational staff associated with the Purchaser
• Categories of Personal Data: Name, email address, account identifiers, participation data, session logs
• Nature of Processing: Provision of educational platform functionality, technical support, usage analysis
• Purpose of Processing: To deliver Breakout Learning services as per the Sales Agreement
• Frequency: Continuous during the License Duration
• Retention Period: As set forth in Data Processing Agreement (DPA)

4. Technical and Organizational Safeguards

Breakout Learning ensures the protection of transferred data through:

• End-to-end encryption (AES-256 at rest, TLS 1.2+ in transit)
• Role-based access controls with MFA
• Logging, alerting, and SOC 2 Type 2-audited security controls
• Vetting and contractual safeguards with all subprocessors

5. Subprocessors and Onward Transfers

The Data Importer may engage subprocessors to support the provision of services. Subprocessors are subject to equivalent safeguards, and the Data Exporter will be notified in advance of any material changes.

6. Data Breach Notification and Cooperation

The Data Importer agrees to notify the Data Exporter within 24 hours of identifying a data breach and to cooperate in managing any legal or regulatory notification obligations.

7. Audit Rights

The Data Exporter may request documentation or conduct audits (virtual or on-site) to verify compliance with this IDTA. Such requests will be responded to in good faith within a reasonable timeframe.

8. Governing Law and Jurisdiction

This IDTA shall be governed by the laws of England and Wales. The parties submit to the jurisdiction of the courts of England and Wales for the resolution of any disputes.

9. Termination

This IDTA shall terminate automatically upon expiration or termination of the DPA or Sales Agreement. If the ICO updates or revokes current transfer mechanisms, the parties agree to collaborate in good faith to implement a compliant alternative.