This data processing agreement records the terms upon which Wonde Inc (“Wonde”) will process the School Data for the purpose of transferring the School Data to Wonde’s applications and/or to one or more third party application providers of services or products to the School and this Agreement is therefore formed between Wonde and the School.
THESE TERMS ARE INCORPORATED INTO ALL TERMS AND CONDITIONS UNDER WHICH WONDE HAS AGREED TO PROVIDE ITS WONDE SOFTWARE TO THE SCHOOL AND THE SCHOOL SUPPLIERS.
1. Definitions
1.1 In this Agreement the following definitions shall apply:
| “Agreement” | means this Data Processing Agreement. |
| “Authorized Persons” | shall mean the persons or categories of persons that the School authorizes to give Wonde processing instructions pursuant to this Agreement. |
| “Confidential Information” | means all confidential information (however recorded or preserved) disclosed by the School, or made available, to Wonde in connection with this Agreement which is either labelled as such or else which could be reasonably considered confidential because of its nature and the manner of its disclosure. |
| “Data Controller” | shall be interpreted and construed by reference to the term Controller and similar terms as defined under Data Protection Laws. |
| “Data Processor” | shall be interpreted and construed by reference to the term Processor and similar terms as defined under Data Protection Laws. |
| “Data Protection Laws” | means all applicable data protection and privacy legislation, regulations, ordinances in force from time to time, as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the processing of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other applicable regulatory authority and applicable to a party. |
| “Effective Date” | means the date of last signature below. |
| “Good Industry Practice” | means using standards, practices, methods and procedures conforming to the law and exercising that degree of skill and care diligence prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or body engaged in a similar type of undertaking under the same or similar circumstances. |
| “MIS” | means the School’s database which holds the School Data. |
| “Personal Data” | has the meaning given it and similar terms in Data Protection Laws. |
| “Personal Data Breach” | has the meaning given in Data Protection Laws but shall include any breach or reasonably suspected breach of School Data.. |
| “processed” or “processing” | has the meaning given in Data Protection Laws. |
| “School” | means the school or education establishment who is signatory to this Agreement. |
| “School Data” | means Personal Data relating to students, parents and guardians, and staff at the School, and other data regarding the school, including but not limited to:
1. names and contact details;
2. dates of birth;
3. health information and other special categories of data;
4. details of educational performance and attainment;
5. disciplinary records;
6. timetable, call and year group information. |
| “School Suppliers” | means providers of services or products via applications to the School to which the School wishes to transfer certain data sets of the School Data. |
| “Services” | Means the services performed by Wonde:
a. for the benefit of the School and School Suppliers, utilizing the Wonde Software, of transferring selected School Data from the School or its MIS to selected School Suppliers; and
b. to allow students, parents and guardians, and staff at the School to access selected data from the MIS
and/or School Suppliers using a single account within the Wonde Software; and
C. to allow access to, and use of the Wonde Software by School and School Suppliers. |
| “Sub-Processors” | means any person or company appointed by or on behalf of Wonde who may process Personal Data to facilitate the provision of the Services to School in connection with the Agreement. |
| “Wonde Software” | means the software applications and platform supplied (directly or indirectly) by Wonde and used by the School including the Wonde school portal.
The terms “Business Purpose”, “Sale”, “Share”, “Sensitive Personal Data” and similar terms as otherwise defined under Data Protection Laws, shall have the same meaning ascribed to them under Data Protection Laws. |
1.2 A reference to writing or written includes emails and writing in any electronic form.
2. General Provisions
2.1 As of the Effective Date of this Agreement, the parties acknowledge that this Agreement shall be effective and replace any previously applicable data processing, handling and security terms agreed to between the parties.
2.2 This Agreement applies to the extent that Wonde processes School Data.
2.4 The School and Wonde acknowledge that, for the purposes of Data Protection Laws, Wonde is a Data Processor and the School is a Data Controller in respect of the School Data comprising Personal Data which is processed by the Wonde Software. Each party shall comply with their respective obligations under the Data Protection Laws.
2.5 Each party will be an independent Data Controller in respect of Personal Data used in relation to the business relationship for the purpose of facilitating the Services. Each party represents and warrants that it shall limit the use of Business Contact Data to: (i) perform its obligations under the Agreement in connection with the party’s provision or receipt of the Services and other business or administrative purposes; (ii) comply with applicable legal and regulatory requirements, requests and communications, including from supervisory authorities, courts, or tribunals; and (iii) protect its rights and the rights of others in accordance with applicable law.
2.6 Wonde shall comply with all applicable Data Protection Laws in respect of its obligations for the processing of the School Data.
2.7 Wonde shall not process any School Data other than on the instructions of the School (unless such processing shall be required by any applicable law to which Wonde is subject to and Wonde restricts such processing only to the limited amount of School Data necessary to comply with such applicable law and provides prior notice to School (unless notice is prohibited by such applicable law)).
2.8 The School hereby instructs and authorizes Wonde to process School Data solely for the purpose of:
2.8.1 transferring certain School Data through its instructions via the Wonde school portal from the School to School Suppliers, which permits students, parents and guardians, and staff of the School to access and manage the School Data effectively;
2.8.2 carrying out requests and/or instructions by School to restrict or approve data sets via the Wonde school portal;
2.8.3 Wonde providing the School with access to the Wonde Software;
2.8.4 as otherwise reasonably necessary for the provision of the Services by Wonde to the School; and
2.8.5 the Business Purposes and processing activities set out in Schedule I.
2.9 The School warrants and represents that the Processing of School Data as set out in this Agreement by Wonde, is permissible under Data Protection Laws.
2.10 The School and Wonde confirm that Schedule 1 determines the subject matter, duration, nature and purpose of processing which includes the following:
2.10.1 the processing of School Data by Wonde will comprise the collection or extraction of School Data from the MIS, the organization and re-categorization of that School Data, the transfer of the School Data to School Suppliers notified to Wonde by the School via the Wonde school portal, the processing of School Data within and for the purpose of the Wonde Software, and the transfer of the School Data to parents, guardians, students and staff of the School who are permitted access to the Wonde Software;
2.10.2 the purpose of the processing of School Data by Wonde is to enable Wonde to provide the Services; and
2.10.3 the data that will be processed by Wonde will be School Data, and the data subjects will be students of the School, their parents and guardians, and staff of the School.
2.10.4 Wonde represents and warrants that it will not (i) Sell or Share any School Data; (ii) use, retain, or disclose School Data outside of the direct business relationship between School and Wonde unless expressly permitted by Data Protection Laws, for any commercial purposes other than the Business Purposes specified in Schedule I; or (iii) combine School Data with Personal Data Wonde receives from or on behalf of another person or client, or collects from its own interaction with a person.
2.11 Wonde shall: (i) permit School to take reasonable and appropriate steps to confirm that Wonde uses School Data in a manner consistent with School’s obligations under Data Protection Laws; (ii) permit School to take reasonable and appropriate steps to stop and remediate unauthorized use of School Data; and (iii) notify School if Wonde determines that it can no longer meet its obligations under this Agreement.
3. Term and Termination
3.1 This Agreement shall commence on the Effective Date, and shall continue in full force unless and until the School removes the Wonde Software from the School’s computer network or MIS, at which point this Agreement shall automatically terminate.
3.2 Upon termination of this Agreement, clauses 2.6, 2.9, 4 and 5 and 9 shall continue to apply.
3.3 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the license terms or this Agreement, in order to protect the School Data, will remain in full force and effect.
4. Transfer of School Data
4.1 The School hereby consents to the Wonde Software accessing School Data held on the MIS, for the purpose of extracting and transferring such School Data to Wonde and to School Suppliers for the purposes set out in this Agreement only.
4.2 Upon leaving the School MIS by electronic means (via HTTPS) the School Data will be encrypted by the Wonde Software.
4.3 Wonde shall ensure that the School has access to the Wonde school portal whereby the School has visibility and control over the categories of School Data they are sharing with each School Supplier.
4.4 School Data will only be transferred to School Suppliers where instructed by the School via the school portal in the Wonde Software.
5. Ownership of the School Data and Confidential Information
5.1 The School Data shall always remain the property of the School.
5.2 The School therefore retains control of the School Data.
5.4 Wonde shall keep all Confidential Information and School Data confidential and shall not:
5.4.1 use any Confidential Information or School Data except as described in this Agreement; or
5.4.2 disclose any Confidential Information in whole or in part to any third party, except as expressly required by this Agreement or to the extent required by applicable law.
5.5 Wonde shall ensure that all persons authorized by Wonde to process the School Data are:
5.5.1 informed of the confidential nature of the Confidential Data and School Data and are bound by confidentiality obligations and use the appropriate restrictions in place in respect of preserving the School Data and Confidential Information; and
5.5.2 undertaking training on a continuous basis regarding Data Protection Laws relating to any handling of the School Data.
6. Security of the Data
6.1 Wonde shall implement and maintain reasonably physical, technical and organizational security measures to ensure the security of all School Data that it processes, consistent with industry standards and Data Protection Laws.
6.2 Wonde’s security policies and processes are available on request.
7. Sub-Processors
7.1 The School acknowledges and agrees that Wonde may use Sub-Processors to fulfil the Services as set out in this Agreement. Wonde may use the Sub-Processors found at www.wonde.com/subprocessors as of the Effective Date.
7.3 Where Wonde wishes to appoint a Sub-Processor pursuant to this clause 7, it must (i) provide School at least 30 days’ prior written notice, (ii) if approved by School within 30 days after notice, add such Sub-Processor to the above URL (in the event Wonde does not receive written approval from the School within 30 days, Wonde will deem the School as accepting such Sub-Processor); and (iii) ensure that the arrangement between it and the Sub-Processor is governed by a written contract including terms which are the same or substantially similar to those set out in this Agreement.
7.4 Wonde shall remain liable for the acts and omissions of any Sub-Processor in violation of the terms of this Agreement.
8. Insurance
8.1 Wonde maintains a policy of insurance in respect of public liability in respect of the services provided by Wonde and the processing of the School Data, and shall produce a copy of such policy to the School if requested to do so.
9. Deletion or return of School Data
9.1 Wonde shall within a reasonable period of time, but no more than 30 days, after a written request from the School or the termination of this Agreement, delete and procure the deletion of all copies of the School Data within its or its Sub-Processor’s custody or control.
9.2 Subject to clause 9.3, the School may in its absolute discretion by written notice to Wonde at any time require Wonde to delete and procure the deletion of all other copies of School Data processed by Wonde or any of its Sub-Processors.
9.4 Wonde and its Sub-Processors may retain School Data to the extent specifically required for Wonde or its sub-Processors compliance with applicable law, provided that Wonde and its Sub-Processors shall ensure the confidentiality of all such School Data retained, and shall ensure that such School Data is only processed as necessary for the purpose(s) specified by the applicable laws requiring its storage and for no other purpose, provide School with prior notice of such required retention and the purposes for retention, and Wonde and its Sub-Processors delete such retained School Data within 30 days after it is no longer necessary for the purposes disclosed to School.
9.5 Wonde shall, within 30 days of a formal request from the School, provide written certification to the School that it has fully complied with this clause 9.
10. Audit and Information Rights
10.1 Subject to clauses 10.2, 10.3 and 10.4, Wonde shall:
10.1.1 make available to the School on request all information reasonably necessary to demonstrate Wonde’s compliance with this Agreement and Data Protection Laws; and
10.1.2 allow for and contribute to audits, including inspections, by the School or any auditor nominated by the School in relation to the processing of the School Data by Wonde and its Sub-Processors.
10.2 Intentionally omitted.
10.3 The School shall use commercially reasonable efforts to give Wonde reasonable notice of any audit or inspection that it wishes to conduct under clause 10.1, and shall (and shall ensure that any nominated auditor shall) use commercially reasonable efforts to avoid causing (or, if it cannot avoid, minimize) any damage, injury or disruption to Wonde’s or its Sub-Processors’ premises, equipment, personnel and business.
10.4 Without prejudice to clause 10.3, Wonde or its Sub-Processors are not required to give access to their premises for the purposes of an audit or inspection:
10.4.1 to any individual unless he or she produces reasonable evidence of Identity and authority; or
10.4.2 outside normal business hours at those premises (to the extent commercially reasonable); or
10.4.3 for the purposes of more than one audit or inspection in any calendar year unless otherwise required by Data Protection Laws or in the event of a Personal Data Breach.
11. Data Subject Rights and Associated Matters
11.1 Wonde and its Sub-Processors shall assist the School to respond to requests to exercise data subject rights under the Data Protection Laws.
11.2 Wonde shall:
11.2.1 promptly notify the School if it or any Sub-Processor receives a request from a data subject under any Data Protection Law in respect of School Data;
11.2.2 notify the School promptly in writing if it receives any complaint or notice that relates directly or indirectly to the processing of the School Data and/or to either party’s compliance with the Data Protection Laws; and
11.2.3 not, and Sub-Processors shall not, respond to any request from a data subject, except on the written instructions of the School unless otherwise required to respond in order to comply with Data Protection Laws.
11.3 Wonde shall notify the School without undue delay upon Wonde becoming aware of or reasonably suspecting:
11.3.1 the loss, unintended destruction or damage, corruption, or unitability of part or all of the School Data. Wonde will restore any School Data at its own expense as soon as possible;
11.3.2 any accidental, unauthorized or unlawful access or processing of the School Data; or
11.3.3 any Personal Data Breach in respect of any School Data processed by Wonde, providing the School with sufficient information to allow the School to meet any obligations to report, or inform the individuals to which the School Data related, of such Personal Data Breach under Data Protection Laws. It shall be the responsibility of the School to report the Personal Data Breach to any appropriate regulatory authority or individual.
11.4 Wonde shall co-operate with the School and take such reasonable commercial steps as directed by the School to include: assisting in the investigation, facilitating any interviews, remediation and making any records available in relation to any such Personal Data Breach referred to in clause 11.3.
11.5 Wonde shall provide reasonable assistance to the School (at the Wonde’s own expense) with:
11.5.1 responding to any request from a Data Subject; and
11.5.2 any data protection impact assessments, and prior consultations with competent data privacy authorities, which the School reasonably considers to be required under any Data Protection Laws, in each case solely in relation to processing of School Data comprised in the School Data.
12. Liability
12.1 The following shall be considered Wonde’s material breach of the Agreement:
- a Personal Data Breach; or
- Wonde’s (or its Sub-processors’) failure to comply with any of its obligations set forth in this Agreement. Wonde agrees to indemnify, defend, and hold harmless School and its affiliates, subsidiaries, successors and assigns from and against any and all claims, losses, demands, liabilities, damages, settlements, expenses and costs (including attorneys’ fees and costs), arising from, in connection with, or based on allegations of, any Personal Data Breach or Wonde’s (or its Sub-processors’) failure to comply with any of its obligations set forth in this Agreement. This indemnification obligation is not subject to any limitation of liability elsewhere in the Agreement or otherwise agreed to by the parties.
12.2 Nothing in this Agreement shall limit the liability of Wonde for any third party claims arising out of or caused by its negligence, willful misconduct, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.
13. Records
13.1 Wonde agrees that it shall keep detailed, accurate and complete records regarding any processing activities it carries out pursuant to this Agreement, including but not limited to, the access, control and security of the School Data.
13.2 Wonde will ensure that any such records referred to in clause 13.1 are sufficient to enable the School to verify Wonde’s compliance with its obligations under this Agreement and will respond to any reasonable request by the School for copies.
14. Miscellaneous Provisions
14.1 Save for any statement, license, representations or assurances as to the method or location of storage this Agreement and the Schedules to it constitutes the entire agreement and understanding between the parties and with respect to all matters which are referred to and shall supersede any previous agreements between the parties in relation to the matters referred to in this Agreement.
14.2 No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
14.3 This Agreement may not be modified or extended except by a written agreement signed by an authorized representative of each Party.
14.4 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual dispute or claims) shall be governed by and construed in accordance with the laws of Delaware.
14.5 Wonde may transfer, assign or novate its rights and obligations under this Agreement to any member of its group companies to whom a party transfers all or substantially all of its business.
SCHEDULE 1
Subject matter of processing:
The transfer is necessary to enable the provision of services by Wonde as set out in clause 2.8 (provision of data integration / data extraction services).
Duration of Processing:
For as long as it is necessary to provide the Services and until the School removes the Wonde Software from the School’s computer network or MIS, and then School Data is held and then deleted in accordance with Section 9.
Nature of and Purposes for Processing:
The collection, storage, organization and re-categorization of the School Data in connection with, and for the purpose of, providing the Services to the School as set out in the Agreement and including the following Business Purposes:
- Debugging to identify and repair errors that impair existing intended functionality.
- Helping to ensure security and integrity to the extent the use of the School Data is reasonably necessary and proportionate for these purposes.
Personal Data Categories and Types:
The School Data being processed concerns the following categories of Data Subjects:
| Students / Pupils |
| School Employees Including volunteers, agents, temporary and casual workers |
| Parents, relatives, guardians, and associates of the data subject |
Data Types:
| Identifying information – names and former names, and dates of birth, reference numbers, personal pupil number, etc. |
| Contact information – postal and email addresses (current and former), telephone number |
| Education/training records and examination results |
| Employment details for School employees such as name, address, email, DBS information, bank details, national insurance information, previous history |
| Usernames, passwords, IP addresses and cookies |
| Attendance / Absence information |
| Information collected by the school to form a student record, including behaviour and detention information |
| Characteristic data such as financial information, pupil premium and free school meal eligibility. |
| Sensitive Personal Data such as medical data, pupil in care and interventions |