Data Processing Addendum to the Subscription and License Agreement

Updated June 12, 2024

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Subscription and License Agreement, Subscription Services Agreement, License Agreement or other agreement (including all Quote(s), Order Form(s), SOW(s) and other ordering agreements entering to under any of the foregoing (each an “Agreement”) between Plato eLearning LLC, dba ELB Learning, a Delaware Limited Liability Company (“ELB Learning” or “Provider”) and the counterparty to the applicable Agreement (“Customer”) pursuant to which ELB Learning provides certain Services (as defined below) to Customer that may entail the Processing of Personal Data (as defined below) and incorporates the terms of this DPA and the SCCs (as defined below) to the extent applicable. Customer and ELB Learning shall be referred to jointly as the “Parties” and individually as a “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the applicable Agreement.

INTRODUCTION. This DPA reflects the Parties’ agreement on the terms governing the Processing and security of Customer Data and Services Data in connection with an Agreement.
DEFINITIONS.
1. “Controller” means the entity that determines the purposes and means of the processing of Personal Data. “Controller” includes equivalent terms in Data Protection Laws, such as the CCPA-defined terms “Business” or “Third Party,” as context requires.
2. “Covered Individuals” means Data Subjects employed by or affiliated with Customer who access the Services; via authorization of Customer (“Authorized Users”); and/or (ii) are tasked by Customer with overseeing, managing, or administratively supporting the Provider's delivery of Services (“Customer Coordinator”), provided and to the extent that the applicable Personal Data relates to such Data Subject and such Data Subject fall within the protective scope of the applicable Data Protection Law.
3. “Customer Data” means Personal Data of Covered Individuals as such is made available to Provider by or on behalf of a Customer or its Covered Individuals for purposes of Processing pursuant to an Agreement.
4. “Data Protection Laws” means all applicable legislation and regulations governing the processing and protection of Personal Data pursuant to an Agreement, including, where applicable, the EU General Data Protection Regulation No 2016/679 (“GDPR”), the GDPR as implemented by the United Kingdom Data Protection Act 2018 (“UK GDPR”), Federal Act on Data Protection, 19 June 1992 (Status as of 1 January 2022), SR 235.1, Swiss Federal Assembly (“FADP”), Cal. Civ. Code 1798.100 et seq. (California Consumer Privacy Act) as amended (“CCPA”), and any other similar data protection laws in any other applicable territory, each as amendment, replaced, supplemented or superseded.
5. “Data Subject” means an identified or identifiable natural person.
6. “International Data Transfer Mechanism” means the special protections that some jurisdictions require two or more parties that transfer information across international borders to adopt to make the transfer lawful, e.g., standard contractual clauses, binding corporate rules, or statutory obligations that require the parties to adopt certain technical, organizational, or contractual measures. “Transfer,” in the context of an International Data Transfer Mechanism, means the access by, transfer or delivery to, or disclosure to a person, entity, or system of Personal Data where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.
7. “Personal Data” means any information or set of information that identifies, relates to, describes, is reasonably capable or being associated with, or could reasonably be linked to, directly or indirectly, a Data Subject. “Personal Data” includes equivalent terms in Data Protection Laws, such as the CCPA-defined term “personal information,” as context requires.
8. “Process” or “Processing” means any operation or set of operations that is performed on Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
9. “Processor” means an entity that Processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in Data Protection Laws, such as the CCPA-defined terms “Service Provider” or “Contractor,” as context requires.
10. “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, Commission Implementing Decision (EU) 2021/917 of 4 June 2021.
11. “Security Incident” means confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by Provider and/or its Sub-processors in connection with the provision of Services. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
12. “Services” means the professional learning and development products and services owned or operated by Provider, including: (i) cloud-based subscription services to which its customers can purchase access (“subscription services”); (ii) downloadable software products (“licensed product(s)”); (iii) support services for the subscription services or licensed products (“support service(s)”); and (iv) professional services related to the creation, implementation, use, integration, and management of learning and development tools, including services to support implementation, configuration, enhancement, and/or use of the subscription services or licensed products (“professional service(s)”).
13. “Services Data” means the data (excluding Customer Data) and metadata generated by the operation of the Services including, usage, event, devise, and performance metrics and logs (to the extent such may be deemed Personal Data).
14. “Sub-processor” means a Processor engaged by a party who is acting as a Processor.
15. “Swiss SCCs” means the SCCs as modified or supplemented by the FADP.
16. “UK Addendum” means the SCCs as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.

SCOPE, ROLES, CUSTOMER INSTRUCTIONS, AND ORDER OF PRECEDENCE
1. The terms this DPA shall apply to the Processing of Customer Data and Services Data pursuant to an Agreement, except to the extent the Data Protection Laws of a specific jurisdiction require otherwise with regard to specific Processing activities performed in connection with the applicable Agreement.
2. The Parties agree that the purpose of the Processing of the Personal Data is performing and supporting the Services outlined in the applicable Agreement (the “Purposes”). For the avoidance of doubt, the Purpose includes technical or customer support, security and fraud protection, and the activities set forth in §1798.105(d) of the CCPA.
3. Customer is the Controller of Customer Data Processed by ELB Learning and ELB Learning is the Processor of such Customer Data. With respect to the Processing of Services Data, Provider is the Controller of such data and, to the extent such is provided or otherwise made available to Customer, Customer will act as separate independent Controller. Notwithstanding Customer’s role as a separate independent Controller of Service Data for purposes of compliance with applicable Data Protection Laws, Customer’s Processing of Service Data shall remain at all times subject to all requirements, restrictions, and limitations of Customer’s use of the Services as set forth in the applicable Agreement and this DPA.
4. Customer hereby instructs and authorizes ELB Learning, along with its Sub-processors, to: (a) Process Customer Data as necessary to perform and support the Services set forth in the applicable Agreement and this DPA, as further specified via the Customer’s use of the Services, including settings and other functionalities where available, and in accordance with any documented written instructions; and (b) Transfer Customer Data to any country or territory as reasonably necessary to provide and support the Services set forth in the applicable Agreement ((a) and (b) collectively, “Customer Instructions”). For the avoidance of doubt, Customer Instructions specifically include the following:
  1. Provider shall not use Customer Data for marketing purposes other than where the applicable Covered Individual has expressly opted in to receive such marketing.
  2. Provider shall not add any Customer Data to its enterprise general marketing database.
  3. Provider shall not sell Customer Data.
5. In the event of a conflict between this DPA and the Agreement, this DPA will control to the extent necessary to resolve the conflict. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in the International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will control.
DESCRIPTION OF PROCESING ACTIVITIES.
1. Subject Matter and Nature of Processing. Provider shall Process Customer Data for the Purposes. Provider may process Services Data for any lawful purpose in accordance with its Privacy Policy. Customer shall process Services Data only for its internal business purposes in compliance with the applicable Agreement. The Parties acknowledge that any disclosure of Personal Data pursuant to the Agreement does not confer any value under the Agreement. The provision of Personal Data from one Party to the other does not constitute a Sale under the CCPA.
2. Types of Data Subjects. Covered Individuals.
3. Types of Personal Data. Customer Data, including the Personal Data Categories set forth in Schedule A, as applicable to the specified subscription service and licensed products, and Services Data. Customer acknowledges its sole control over the categories, types, and individual data elements of Customer Data that is made available to Provider by or on behalf of Customer or a Covered Individual for purposes of Processing pursuant to an Agreement. Except as otherwise expressly set forth in an Agreement, the categories of Customer Personal Data not specifically associated with a subscription service is limited to Covered Individuals’ professional contact information including, first name, last name, business title, email address, telephone number or other business contact information and records of communications with Provider.
4. Frequency of Transfer: Continuous / Ad Hoc.
5. Duration of Processing. Provider shall Process Customer Data for the duration necessary to fulfill the Purposes, including any extensions, renewals, or as required to complete post-termination obligations such as the return, deletion, or (if requested by Customer) archiving of Customer Data.
INTERNATIONAL DATA TRANSFER
1. Transfers of EEA, UK, and Swiss Data. In the event that the Territory, as designated in the applicable Agreement, includes the EEA, UK, and/or Switzerland, the Parties acknowledge that Personal Data made available by one party to the other in connection with an Agreement that originates in the EEA, UK, or Switzerland and is subject to GDPR, UK GDPR, or the FADP, as applicable, may be Transferred to the United States or another jurisdiction which is not subject to an adequacy determination by the applicable data protection authority and, accordingly, agree that the SCCs, UK Addendum, or Swiss SCCs, as applicable, are hereby incorporated by reference and form an integral part of the Agreement and this DPA as set forth in Schedule C.
2. Transfers of Non-European Data. In the event that the Territory, as designated in the applicable Agreement, includes a jurisdiction other than the U.S., EEA, UK, or Switzerland, the Parties agree to cooperate to implement the applicable International Data Transfer Mechanism to Transfer Personal Data originating in the applicable jurisdiction to the United States or another jurisdiction which is not subject to an adequacy determination by the applicable data protection authority.
3. If the International Data Transfer Mechanism on which the Parties rely is invalidated or superseded, the Parties will work together in good faith to find an alternative. If the Parties are unable to find an alternative within 60 days, or another period as agreed in writing, the applicable Agreement may be terminated pursuant to its terms.
MUTUAL OBLIGATIONS
1. Security and Confidentiality. Each Party will have in place reasonable technical and organizational measures to protect Customer Data and Services Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. Such measures shall meet or exceed a level of security reasonable to the risk represented by the processing and the nature of the data to be protected. Each Party shall ensure that all persons authorized to process Customer Data or Services Data on their respective behalf have committed themselves to protect the privacy, confidentiality, and security of such using all reasonable measures as required by this DPA and applicable Data Protection Laws.
2. Incident Response. Each Party will maintain a reasonable incident response program to respond to Security Incidents. Upon becoming aware of a confirmed Security Incident, unless prohibited by applicable law, Provider will notify Customer without undue delay (but no later than two (2) business days). A delay in giving such notice requested by law enforcement and/or in light of Provider’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Provider will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
3. Each Party will promptly inform the other of any security incident related to Customer Data or Service Data that requires notice to Covered Individuals.
4. Accountability. Each Party shall maintain records of their Processing activities as required by applicable Data Protection Laws.
PROVIDER OBLIGATIONS
1. ELB Learning shall and shall instruct its Sub-processors to:
  1. Process Customer Data pursuant to Customer Instructions;
  2. refrain from Processing Customer Data for purposes other than performing and supporting the Services outlined in the applicable Agreement;
  3. not attempt to, or actually, re-identify any previously aggregated, deidentified, or anonymized data provided by or on behalf of Customer and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data. For the avoidance of doubt, Provider may aggregate, deidentify, or anonymize Customer Data so it no longer meets the Personal Data definition and Provider will not be restricted from storing, disclosing, or otherwise using any such aggregated, deidentified, or anonymized data;
  4. promptly comply with Customer’s reasonable requests or instructions requiring ELB Learning to provide, amend, transfer, or delete Customer Data as required pursuant to the applicable Data Protection Law(s);
  5. ensure that each of its employees, consultants, and agents are made aware of its obligations under this DPA with regard to the security and protection of Customer Data and require that they enter into binding obligations to respect and maintain the confidentiality and security of Customer Data to the levels of security and protection provided for in this DPA;
  6. not keep Customer Data longer than is necessary for the Purposes and will, at the choice of Customer, delete, return, or irreversibly anonymize all Customer Data once the Purposes have been fulfilled (save to the extent Provider is a lawfully permitted or obligated to retain Customer Data);
  7. implement and maintain the Technical and Organizational Measures set forth in Schedule B to secure Customer Data. Customer hereby confirms that the Technical and Organizational Measures are suitable and appropriate for its purposes; and
  8. with regard Customer Data governed by the CCPA and related to Covered Individuals who are residents of California (“CCPA Customer Data”), the following additional Processing obligations shall apply. All terms capitalized but undefined in the below shall have the meaning ascribed to them in the CCPA.
    1. Provider shall not Sell or Share such CCPA Customer Data.
    2. except as expressly permitted by the CCPA, Provider shall not retain, use, or disclose CCPA Customer Data for any Commercial Purpose other than the Business Purpose(s) specified in the applicable Agreement and this DPA or outside the of the direct business relationship between Provider and Customer.
    3. except as expressly permitted by the CCPA, Provider shall not combine CCPA Customer Data with (a) personal information that Provider receives from, or on behalf of, another person or persons; or (b) personal information collected from Provider’s own interaction with a Covered Individual.

CUSTOMER OBLIGATIONS
1. Customer shall and shall instruct Covered Individuals to:
  1. ensure that Customer Data provided or made available to Provider: (i) has been collected in compliance with all applicable Data Protection Laws and Customer’s published privacy notice; (ii) is not and does not disclose any Customer Data originating outside of the Territory set forth in the applicable Agreement; and (iii) is not and does not disclose any Prohibited Data; and
  2. ensure that Covered Individuals are provided a clear, concise, and easily accessible privacy policy accessible from a prominent link on each page of Customer’s websites that fully and accurately reflects, supports, and is consistent with the collection, transfer, storage, and use of Customer Data by Customer and by Provider, including, without limitation, the collection, transfer, storage, and use of Customer Personal Data by Provider’s third-party Artificial Intelligence technology provider in support of Provider’s provision of the Services.

SUB-PROCESSING
1. Customer agrees that Provider may engage Sub-Processors to Process Customer Data and expressly authorizes the appointment of those Sub-processors identified on the ELB Learning Sub-processor List maintained here. Provider will enter into agreements with each Sub-processor imposing data protection obligations that reflect those laid out in this DPA. Provider shall remain fully liable vis-à-vis Customer for the performance of any such Sub-processor that fails to fulfill its obligations under this DPA.
2. Updates. Provider may update the ELB Learning Sub-processor List to reflect any new or replaced Sub-processors, provided that Customer has been provided at least thirty (30) days prior notice and Customer has not objected to the applicable update as set forth below.
3. Right to Object. Should Customer have reasonable data protection concerns regarding a newly listed Sub-processor, it may object in writing and the parties will try to resolve the matter in good faith. However, if a resolution cannot be reached, Provider will have the option to continue to provide the Services without the disputed Sub-processor or terminate the portion of the Services effected by Processing of Customer Data by the disputed Sub-processor.
CONSUMER RIGHTS & IMPACT ASSESSMENT ASSISTANCE
1. Covered Individual Rights Requests. Provider shall assist Customer in addressing consumer rights requests of Covered Individuals regarding Customer Data; provided and to the extent that Customer is unable to adequately address the request and such assistance is technically feasible and within Provider’s control. Such assistance may be subject to additional fees if it requires efforts beyond routine service provision.
2. Impact Assessments and Consultations. Provider agrees to assist Customer with conducting any necessary data protection impact assessments and any subsequent consultations with supervisory authorities, as mandated by applicable Data Protection Laws, but only to the extent that such laws explicitly require Provider to provide assistance in this regard. This assistance will be provided considering the nature of Processing and the information available to Provider. It is understood that such assistance by will be subject to the allocation of reasonable costs, where applicable, especially in instances where providing assistance goes beyond the scope of services initially agreed upon between Provider and Customer or necessitates substantial time, resources, or expertise on part of Provider. Customer acknowledges that the responsibility to initiate communication regarding the need for such impact assessments or consultations rests with Customer, and Provider’s obligations under this provision are contingent upon receiving a timely and detailed request from.
3. Reviews and Audits of Compliance. Customer may conduct an audit of Provider’s compliance with the terms of this DPA, provided that such a review is expressly permitted or required under applicable Data Protection Laws granting Customer the right or obligation to perform such audits/assessments. This right to audit is limited to once per calendar year unless additional audits are mandated by a data protection authority or are necessitated following a data breach. All audits shall be subject to providing reasonable notice to Provider, shall be conducted during normal business hours, and shall be organized so as to minimize disruption to Provider’s operations. Customer is responsible for all costs associated with the audit, unless the audit discloses material non-compliance by Provider with the obligations under this DPA, in which case Provider shall bear the reasonable costs of the audit.
TERMINATION
1. This DPA may be terminated, with immediate effect, on the agreement of the Parties.
2. The termination of this DPA does not exempt either Party from its obligations under this DPA as regard to the Processing of the Personal Data.
GENERAL
1. To the extent required to comply with Data Protection Laws, or the requirements of a competent supervisory authority, (a) ELB Learning may update this DPA at this URL from time to time by posting an updated DPA on this URL, and Customer’s continued use of the Services constitutes Customer’s acceptance of the updated DPA, or (b) ELB Learning may require Customer to execute a new data processing addendum or comparable terms to this DPA with ELB Learning.
2. Failure or neglect by a Party to enforce at any time any of the provisions hereof shall not be construed nor shall be deemed to be a waiver of that Party’s rights hereunder nor in any way affect the validity of the whole or any part of this DPA nor prejudice that Party’s rights to take subsequent action.
3. This DPA and the Agreement supersede and replace any arrangements, representations (excluding fraudulent representations) understandings, promises or agreements made or existing between the Parties prior to the signing of this DPA, and this DPA constitutes the entire understanding between the Parties hereto regarding the subject matter hereof.
4. In the event that any or any part of the terms, conditions or provisions contained in this DPA, or any Schedule or Exhibit attached or adopted as relative hereto shall be determined by any competent authority to be invalid, unlawful or unenforceable to any extent such term, condition or provision shall to that extent be severed from the remaining terms and conditions which shall continue to be valid and enforceable to the fullest extent permitted by law.
5. This DPA shall inure to the benefit of and be binding upon the Parties and their respective successors and assigns.
6. The headings preceding the text of the clauses of this DPA are for purposes of reference only and will not limit or otherwise affect the meaning hereof.
7. This DPA may be executed in any number of counterparts, each of which, when executed, shall be an original and all of which together shall constitute one and the same agreement. The Parties each further consent to and acknowledge that a copy of the executed version of this DPA which is retained in electronic form shall constitute an original of this DPA, and that such original shall be relied on by the Parties for subsequent reference and as evidence of this DPA.
8. This DPA and any dispute or claim arising out of it or in connection with its subject matter or formation shall be governed by and construed in accordance with the Agreement.

This DPA has been signed and entered into by duly authorized representatives of the Parties to be effective as of the effective date of the applicable Agreement (the “DPA Effective Date”).

SCHEDULE A - PERSONAL DATA DETAILS FOR SUBSCRIPTION SERVICES & LICENSED PRODUCTS

Core Personal Data Details Across Subscription Services:
1. Covered Individual contact and/or registration information (including, first name, last name, email address, and telephone number);
2. online identifiers (including, cookie identifiers, internet protocol addresses, operating system type and devise identifiers);
3. usage data (including login times, functions used, and duration of use);
4. administrator/creator log-in (including username or other unique ID and password) and
5. records of communications with Provider and/or between Covered Individuals (including messages to support teams, provision of feedback, and responses to surveys).

Service-Unique Personal Data Details:
1. CenarioVR®, CourseMill®, Rehearsal, RockStar Learning Platform, MicroBuilder™, and The Training Arcade®:
  1. additional log-in data (including username or other unique ID and password) of learners.
2. CenarioVR®:
  1. usage data also includes learner interactions within the scenario.
3. CourseMill®, Rehearsal, RockStar Learning Platform, MicroBuilder™, and The Training Arcade®:
  1. usage data also includes learner performance data.
4. Rehearsal:
  1. audio/visual data (video and audio of participants performance).
5. The Training Arcade®:
  1. Additional learner registration information as designated by Customers via creation of custom registration fields, subject to the requirements and restrictions set forth in the Agreement.

Personal Data Details – Licensed Products:
1. Covered Individual contact and/or registration information (including, first name, last name, email address, and telephone number); and
2. log-in data (including username or other unique ID and password.

SCHEDULE B - TECHNICAL AND ORGANIZATIONAL MEASURES

This Schedule describes the technical and organizational measures of the provider (“ELB Learning”, or “organization”) at the time of the conclusion of the contract (“Agreement”). If the provider makes material changes during the contract period, the customer will be informed about them.

The scope of the referenced documents extends over ELB Learning’s policies and controls as they apply to the services being offered through the Services. In addition, the documents also apply to the portions of Customer environments that are contractually in the Provider’s operational responsibility.

Guidelines, standards, process descriptions and the documentation of the implementation of the procedures are internal documents of the Provider, which are generally not made available to Customers or third parties.

Procedures for regular monitoring, analysis, and evaluation
1. Data protection management

Data protection management	Requirement	Status	References
Data protection management system for the protection of Personal Data	Data protection officer	The organization has appointed a Security Manager who reports directly to executive management. The Security Manager’s role includes responsibility for data protection.	Information Security Policy
	Data protection policies	The organization maintains appropriate information security policies that include provisions for data protection. Employees are required to review the policies on an annual basis as part of the organization’s security program.	Information Security Policy Access Control Policy Data Retention and Disposal Policy Internal Privacy Policy Privacy Policy for Websites Risk Assessment Policy Server Security Policy Vulnerability and Penetration Testing Management Policy
	Continual improvement process for data protection and information security	The organization maintains an effective information security management system. Policies and controls are reviewed on a regular basis. This ensures the technical and organizational measures will be checked on a regular basis and improvements will be tracked and documented.	Information Security Policy
	Auditing of data protection measures	Control implementation status and effectiveness is reviewed during internal audits. Executive management reviews policies on a regular basis. Risk assessments are conducted on a regular basis.	Information Security Policy

b. Organizational controls

Organisation	Requirement	Status	References
General organizational measures	The organization maintains an effective Information Security Management System (ISMS).	The ISMS includes a set of policies and supporting controls.	Information Security Policy
	Security Manager	The organization has appointed a Security Manager who is responsible for overseeing the organization’s security program. The roles and responsibilities of the Security Manager are set forth in the Information Security Policy.	Information Security Policy
	Information security policy	The organization has a complete set of information security policies.	Information Security Policy
	Password policy	Control implementation status and effectiveness is reviewed during internal audits. Executive management reviews policies on a regular basis. Risk assessments are conducted on a regular basis.	Password Policy
	Internal control system	The organization has an appropriate set of security controls to support the security policy objectives.	Information Security Policy Supporting policies and all controls.
	Risk management	The organization’s security policies require an annual risk assessment and are supported by appropriate controls.	Information Security Policy Risk Assessment Policy
	Employee compliance and training	Employees are required to review and comply with all policies and are provided with annual security awareness training.	Information Security Policy

c. Incident-Response Management

Incident-Response Management	Requirement	Status	References
Handling of Security Incidents in with relation to Personal Data	Process for security incidents	The organization has an Incident Response Plan supported by appropriate security policies and controls. Issues related to personal data are included in the plan.	Information Security Policy Incident Management Policy Incident Response Plan GDPR Breach Notification Procedure
	Security incidents will be noticed and handled. The incidents will be documented and reported and if needed also reported according to Art. 33 GDPR.	Intrusion detection and proactive monitoring are in place. A security incident reporting procedure is in place.	Information Security Policy Network Security Policy Incident Management Policy Incident Response Plan GDPR Breach Notification Procedure

d. Data protection-friendly defaults

Data protection friendly defaults	Requirement	Status	References
Privacy and security by design.	Data protection is considered during design, development, and operation of systems and services.	Appropriate policies and procedures are in place to ensure that data protection is considered.	Information Security Policy Change Management Policy Privacy Impact Assessment Policy and Procedure Risk Assessment Policy

e. Order control

Order	Requirement	Status	References
Measures to ensure competence and compliance with customer and contractual requirements.	Criteria for choosing the contractor	The organization has policies in place that require assessing the competence and performance of contractors.	Vendor Management Policy
	Checks of potential contractors	The organization performs background checks on contractors commensurate with their role.	Vendor Management Policy
	Evaluation of IT security before order decision	The organization considers IT security prior to accepting a new contract.	Information Security Policy Risk Assessment Policy Customer Support and SLA Policy
	Clear contract design	The organization has a standard subscription agreement in place for the customer to review prior to accepting.	Customer Support and SLA Policy
	Contract execution prior to onboarding.	The organization verifies that the contract is signed by the customer and organization prior to customer onboarding.	Customer Support and SLA Policy

2. Confidentiality

a. Physical Access Control

Personal Access control	Requirement	Status	References
General regulation for access control	Regulation of access to data processing equipment	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
Protection of rooms with data processing systems from unauthorized access	Fenced premises	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Alarm system and video monitoring	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Access control system	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Key Policy	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Additional policies	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy

b. IT System Access Control

IT System Access Control	Requirement	Status	References
Protection of computer systems against access for unauthorized persons	Access to systems only via access permissions	The organization has an access control policy in place that is supported by appropriate controls. Access to all production systems is restricted to authorized individuals.	Information Security Policy Access Control Policy Password Policy
	Authorizations only after approval	The organization’s policies requires that access be requested and approved prior to being granted.	Access Control Policy
	Restricted Authorization	The organization has an access control policy in place that is supported by appropriate controls. Access is restricted to authorized personnel only. Access is revoked when no longer required.	Access Control Policy
	Password procedures	The organization has a password policy that is supported by appropriate controls.	Password Policy
	Logging and control of unauthorized login attempts	Logging and monitoring are in place. While systems vary in terms of capabilities, in general unauthorized login attempts that exceed a threshold result in account lockouts. This functionality is verified during penetration tests.	Access Control Policy Password Policy Vulnerability and Penetration Testing Management
	Access to networks	The organization restricts access to all networks and information systems.	Information Security Policy Access Control Policy
	Access via mobile devices	The organization has a Personal Device (BYOD) Policy implemented where access via devices must meet organization security requirements be approved by the Security Manager.	Personal Devices (BOYD) Policy

c. Data Access Control

Data Access Control	Requirement	Status	References
Protection of data against access by unauthorized persons	Access to data only via access permissions.	The organization restricts access to data to authorized individuals with a legitimate business reason. Policies and controls are in place to approve and revoke access.	Access Control Policy
	Authorization and withdrawal	The organization restricts access to data to authorized individuals with a legitimate business reason. Policies and controls are in place to approve and revoke access.	Access Control Policy
	Control of granted authorization	The organization restricts access to data to authorized individuals with a legitimate business reason. Policies and controls are in place to approve and revoke access.	Access Control Policy
	Controlled destruction of data and printouts	The organization has a Data Retention and Disposal policy with appropriate supporting controls.	Data Retention and Disposal Policy

d. Separation Control

Separation Control	Requirement	Status	References
Separation of data items that are processed for different purposes	Client separation of the system	The Services are multi-tenant. The application applies logical access controls and business rules to separate data belonging to different customers.	Information Security Policy Change Management Policy
	Purpose limitation of the systems	The system is used only for the purpose of providing the service contracted by customers.	Information Security Policy
	Purpose limitation of the data	Data is used only for the purpose of providing the service contracted by customers.	Information Security Policy
	Separation of production and test data	Organization policy does not allow use of production data outside of the production environment.	Information Security Policy

e. Pseudonymization and Encryption

Encryption	Requirement	Status	References
Encryption of Personal Data	Protection assessment	Personal Data is encrypted in transport and at rest.	Information Security Policy Network Security Policy Key Management and Encryption Policy
	Definition and availability of encryption methods	The organization has a policy on the use of encryption and, in summary, only uses appropriate commercial encryption algorithms and protocols.	Key Management and Encryption Policy

Pseudonymization	Requirement	Status	References
Processing in a way that the data can no longer be assigned to a specific person without the need for additional information	Preferred pseudonymization of Personal Data	The Services only collect the minimal Personal Data required to provide the Service. It is not possible to anonymize or pseudonymize this data and still provide the data required by customers. However, customers have the option of providing an anonymous identifier instead.	Information Security Policy Privacy Impact Assessment Policy and Procedure

3. Integrity

a. Control of transfer

Control of transfer	Requirement	Status	References
Protection of data during storage or transmission against unauthorized copying, modification or deletion	Organizational specifications for the storage of data media	Data is not transferred on media. Data is encrypted in transit and at rest.	Information Security Policy Network Security Policy Key Management and Encryption Policy
	Protected rooms for data storage	Physical security, including physical access control, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Protective measures for data transmission over the Internet	Data is encrypted for transmission across public networks, including the Internet.	Information Security Policy Network Security Policy Key Management and Encryption Policy
	Physical data transport, e.g., tapes, only by specialist companies	Data is not transported on media. It remains within the Amazon Web Services datacenters.	Not applicable
	Encryption of data carriers	Data is not transported on media. It remains within the AWS datacenters.	Not applicable
	Passing on the data to third parties	Data is not provided to third parties.	Not applicable

b. Input control

Input	Requirement	Status	References
	Storage of system logs	Logs are collected on servers. A centralized log collection and analysis system is in place and applications are being updated to improve log collection and transport.	Server Security Policy

4. Availability and Resilience

a. Availability

Availability	Requirement	Status	References
Protection of data against accidental destruction or loss	Regular backups	Regular backups implemented by AWS Backup Plans	Information Security Policy Disaster Recovery Plan
	Mirroring hard disks, e.g., RAID procedure	Data is stored using redundant storage in multiple AWS availability zones.	Information Security Policy Disaster Recovery Plan
	Protective measures against fire and water	Physical security, including protection against fire, flood, and other environmental threats, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Uninterruptible power supply ("UPS")	Power, including UPS and generator, is provided by the datacenter owner, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Separated storage	Data store separation is provided by the cloud services provider, Amazon Web Services. The organization regularly reviews the performance and compliance of all vendors.	Vendor Management Policy
	Use of firewalls and anti-virus / anti-malware software and systems	Network-level controls, including AWS Security Groups, are used to block all network traffic that is not specifically required for the application to function. Based on the organization’s risk assessment, anti-virus/anti-malware software is not required on Linux servers. Anti-virus software and firewalls are used on all workstations.	Information Security Policy Network Security Policy Workstation Security Policy

5. Assistance by Processor and Sub-processor(s)

Transfers to (sub-)processors	Requirement	Status	References
Transfers to Processor	Technical and organizational measures to provide assistance to Controller	To assist controller in responding to requests to exercise rights granted to Data Subjects under Data Protection Laws, the organization will provide assistance as set forth in the DPA. The organization has created a policy document and internal procedures for responding to requests from Authorized Users regarding their data management requests which comply with Data Protection Laws, and maintains a detailed data subject rights request spreadsheet to track each step in the process of responding to data subject management requests. The organization regularly trains its relevant customer service personnel on communicating with the controller and Authorized Users on how to manage such requests in a timely fashion. To further assist controller in responding to enquiries and requests made by Data Subjects under Data Protection Laws applicable to the organization, or for Data Protection Laws applicable to processing by controller, the organization also makes available to the controller the privacy officer of the organization, Richard J. Lowenthal, via email address (rlowenthal@elblearning.com) and via mobile phone (+1 310-863-8107) To assist controller in ensuring compliance with data security and data processing obligations under Data Protection Laws applicable to controller, the organization has established the technical and organizational measures described above in Tables 1 – 4. To assist controller in demonstrating compliance with its obligations pertaining to processors under Data Protection Laws applicable to controller and exercising audit and inspection rights available to controller thereunder, the organization shall make available certain internal guidelines, standards, process descriptions, internal documentation and other information relating to the Processing of Personal Data on behalf of controller that is reasonably requested for such purposes, subject to the parties execution of appropriate non-disclosure agreements.	Privacy Policy Data Subject Rights Procedure and
Transfers from Processor to Sub-processor(s)	Technical and organizational measures to be taken by Sub-processor to provide assistance to Data Exporter	The organization shall only engage sub-processors in accordance with the terms and conditions set forth in the DPA, and shall not engage any sub-processor unless the proposed sub-processor has agreed to adhere to standards that are substantially the same and no less robust than those that apply to processer under the Agreement and the EEA Standard Contractual Clauses or any other International Data Transfer Mechanism (where applicable).	Privacy Policy

SCHEDULE C – EEA, UK, AND SWITZERLAND TRANSFERS

EUROPEAN ECONOMIC AREA (“EEA”)
1. In the event the Territory identified in the applicable Agreement includes the EEA, Customer Data originates in the EEA and such is subject to the GDPR, the Parties hereby incorporate SCCs by reference and such form an integral part of the applicable Agreement and this DPA in accordance with this Section as follows:
  1. Customer is the ‘data exporter’ and ELB Learning is the ‘data importer’ with regard to Customer Dat
  2. ELB Learning is the ‘data exporter’ and Customer is the ‘data importer’ with regard to Services Data;
  3. Module One (“Transfer controller to controller”) will apply to Services Data and Module Two (“Transfer controller to processor”) will apply to Customer Data. For each Module, where applicable:
    1. in Clause 7, the optional docking clause applies;
    2. in Clause 9, the Option 2 applies (general written authorization of sub-processors) and the specified time period to inform Customer of changes to sub-processors will be thirty (30);
    3. in Clause 11, the optional language does not apply;
    4. in Clause 17, Option 1 applies, and the SCCs are governed by Irish law;
    5. in Clause 18(b), disputes will be resolved before the courts of Ireland; and
    6. in Annex I.A and Annex I.B, the details of the parties and the transfer are set out in this DPA and more specifically in Description of Processing Activities section of this DPA.
  4. in Annex I.C, in the event Customer is established in an EU Member State, the competent supervisory authority shall be the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679.
  5. in Annex I.C, In the event Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 and has appointed a representative pursuant to Article 27(1), the competent supervisory authority shall be the supervisory authority of the Member State in which the representative is established.
  6. in Annex I.C, in the event that Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 without however having to appoint a representative pursuant to Article 27(2), the Irish Data Protection Commissioner will act as competent supervisory authority.
  7. in Annex II, the description of the technical and organizational security measures is as set forth in Schedule B of this DPA.
  8. in Annex III, the list of ELB Learning’s current sub-processors is available on ELB Learning’s website at: https://www.elblearning.com/legal/data-subprocessors.
  9. by entering into this DPA, each Party is deemed to have signed the SCCs (including Annexes) as of the DPA Effective Date.
SWITZERLAND
1. In the event the Territory identified in the applicable Agreement includes Switzerland, Customer Data originates in Switzerland and such is subject to the FADP, the Parties hereby incorporate Swiss SCCs by reference and such form an integral part of the applicable Agreement and this DPA in accordance with this Section as follows:
  1. Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C) is the Swiss Federal Data Protection and Information Commissioner.
  2. Clause 17: The parties agree that the governing jurisdiction is Switzerland.
  3. Clause 18: The parties agree that the forum is Switzerland. The Parties agree to interpret the EEA Standard Contractual Clauses so that Data Subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(C).
  4. the Parties agree to interpret the EEA Standard Contractual Clauses, so that “Data Subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.
  5. in Annex III, the list of ELB Learning’s current sub-processors is available on ELB Learning’s website at: https://www.elblearning.com/legal/data-subprocessors.
  6. by entering into this DPA, each Party is deemed to have signed the Swiss SCCs (including Annexes) as of the DPA Effective Date.
UNITED KINGDOM
1. In the event the Territory identified in the applicable Agreement includes the UK, Customer Data originates in the UK and such is subject to the UK GDPR, the Parties hereby incorporate SCCs as amended by the UK Addendum by reference and such form an integral part of the applicable Agreement and this DPA in accordance with this Section as follows:
  1. in Table 1, the details of the parties are set out in the applicable Agreement.
  2. in Table 2, the selected modules and clauses are set out in Section 1.1(c) of this Schedule C.
  3. in Table 3, the List of Parties is set out in the applicable Agreement.
  4. In Table 3, the Description of Transfer is set out in this DPA and more specifically in Description of Processing Activities section of this DPA.
  5. in Table 3, the technical and organizational measures to ensure the security of data is set forth in Schedule B of this DPA.
  6. in Table 3, the list of ELB Learning’s sub-processors is available at https://www.elblearning.com/legal/data-subprocessors.
  7. in Table 4, the ‘neither party’ is elected. by entering into this DPA, each Party is deemed to have signed the SCCs as amended by the UK Addendum (including Tables) as of the DPA Effective Date.

INTRODUCTION

This DPA reflects the Parties’ agreement on the terms governing the Processing and security of Customer Data and Services Data in connection with an Agreement.

DEFINITIONS

This DPA reflects the Parties’ agreement on the terms governing the Processing and security of Customer Data and Services Data in connection with an Agreement.

1. “Controller” means the entity that determines the purposes and means of the processing of Personal Data. “Controller” includes equivalent terms in Data Protection Laws, such as the CCPA-defined terms “Business” or “Third Party,” as context requires.

2. LICENSE. This Section 2 applies to Customer’s purchase of any Licensed Products. Subject to the terms and conditions set forth in the Agreement, including payment of the fees set forth in the applicable Ordering Document, Provider hereby grants, and Customer hereby accepts, a non-exclusive, non-sublicensable, non-transferable, revocable, limited, license to install and use the Licensed Product in machine-readable object code form only, solely for the Purpose, in accordance with the Documentation, in the Territory during the Term. Use of the Licensed Products is restricted and subject to the number of Authorized Users, devices, specifications, and other parameters, if any, set forth in the applicable Ordering Document.

3. RESERVED RIGHTS. Provider retains all rights not expressly granted to Customer hereunder. Except for the limited rights expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to any of the Solutions. Provider reserves the right to make changes to the Solutions and Documentation to maintain or enhance the quality, delivery, competitive strength, marketability, cost efficiency, or performance of Provider’s products or services, or to comply with applicable law.

4. RESTRICTIONS AND REQUIREMENTS.

a.

Customer will not and will not allow any third party to: (a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties: (i) and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Solutions or Documentation in any form or media or by any means; or (ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Solutions; (b) access all or any part of the Solutions or Documentation if Customer or such third party is a competitor of Provider, or for purposes of monitoring the availability, performance, or functionality of the Solution, or for any other benchmarking or competitive purposes; (c) except to the extent expressly permitted under this Agreement, use the Solutions or Documentation to provide services to any third party; (d) except to the extent expressly permitted under this Agreement, license, sell, rent, lease, transfer, assign, distribute, display, host, outsource, disclose, permit timesharing or service bureau use, or otherwise commercially exploit the Solutions or Documentation; (e) attempt to gain unauthorized access to any Solutions, to any non-public account or authentication credentials of, or accounts registered to, others, or to any computers, servers or networks connected to the Solutions by any means other than the user interface provided by Provider, including by circumventing or modifying, attempting to circumvent or modify, or encouraging or assisting any other person to circumvent or modify, any security, technology, device, or software that is part of Solutions; (f) remove, delete, alter, or obscure any trademarks, specifications, documentation, warranties, or disclaimers, or any copyright, trademark, or other intellectual property or proprietary rights notices from the Solutions or Documentation; (g) use the Solutions to support email messages or other communications that are unsolicited, deceptive, anonymous, excessively voluminous or that contain falsified identifying information, including spamming and phishing; (h) use the name of Provider or any licensor of Provider or any of their respective products or services or any abbreviations of such names or any trademark, trade name, service mark, logo, or other identifying information of Provider or its licensors in the originating or return email address line, header, subject line, or body of any email transmission or any other communication, on a website, in marketing, or other materials, unless approved by Provider and its licensor(s) in writing (any such approval will not relieve Customer of any of its representations, warranties, undertakings and/or indemnities under the Agreement); or (h) use the Solutions in violation of any applicable law, rule, or regulation. All uses in the Agreement of the terms “purchase,” “sell,” “sale,” “price,” and the like mean the purchase or sale of a subscription or license by Customer.

b.

Customer will have sole responsibility for all content and other materials, including text, images, videos, and audio, input into the Subscription Services or otherwise provided to Provider by or on behalf of Customer (“Customer Content”) and data and other information, including personal data, input into the Subscription Services or otherwise provided to Provider by or on behalf of Subscriber or Authorized Users (“Customer Data”), including the legality, consent for processing, reliability, integrity, accuracy, and quality of Customer Content and Customer Data. Customer acknowledges that Customer: (a) controls the type and substance of Customer Content and Customer Data; and (b) sets permissions to access Customer Content and Customer Data; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of the Solutions meets Customer’s security requirements and obligations relating to Customer Content and Customer Data under applicable laws. Customer will secure and maintain all rights in Customer Content and Customer Data necessary for Provider to provide the Solutions to Customer without violating the rights of any Authorized User or other third party or otherwise obligating Provider to any Authorized User or any third party. Provider may access and use the Customer Content and Customer Data solely to provide the Solutions and as otherwise agreed by the parties.

c.

If Customer provides any Customer Data to Provider or Provider collects or otherwise uses any Customer Data via the Solutions, Customer will ensure that such collection and use complies with all applicable laws and Customer’s privacy policy that will be made available and agreed to by the Authorized Users.

d.

Customer will not use the Solutions to collect or otherwise use any “Prohibited Data” which means any: (1) special categories of data enumerated in European Union Regulation 2016/679, Article 9(1), any successor legislation, and any applicable United Kingdom laws including the U.K. GDPR; (2) patient, medical, or other protected health information regulated by the Health Insurance Portability and Accountability Act (as amended and supplemented) (HIPAA); (3) credit, debit, or other payment card data or financial account information, including bank account numbers; (4) credentials granting access to an online account (e.g. username plus password); (5) social security numbers, driver’s license numbers, or other government identification numbers; (6) other information subject to regulation or protection under specific laws such as the Children’s Online Privacy Protection Act or Gramm-Leach-Bliley Act (or related rules or regulations); or (7) any data similar to the above protected under foreign or domestic laws; and will not use the Subscription Services in connection with any activities where its use or failure could lead to death, personal injury, or environmental damage, such as in life support systems, emergency services, nuclear facilities, autonomous vehicles, or air traffic control (collectively, “High Risk Activities”). Customer acknowledges that the Solutions are not intended to meet any legal obligations for these uses, including HIPAA requirements, and that Provider is not a Business Associate as defined under HIPAA. Therefore, notwithstanding anything else in this Agreement, Provider has no liability for Prohibited Data processed, or High-Risk Activity-related use, in connection with the Solutions.

e.

Customer will comply with Provider’s acceptable use and related guidelines for the Solutions. Without limiting the generality of the foregoing, Customer will not access, store, distribute, upload, or transmit to or from the Solutions nor include in the Customer Content or Customer Data anything (including any software, code, file, program or other material) which may: (1) prevent, impair, or otherwise adversely affect the operation of the Solutions or any computer software, hardware, or network, any telecommunications service, equipment, or network, or any other service or device, or user experience; (2) prevent, impair, or otherwise adversely affect access to or the operation of any program or data, including the reliability of any program or data (whether by re-arranging, altering, or erasing the program or data in whole or part or otherwise); (3) contain any viruses, malware, worms, spyware, or other components or instructions that are malicious, deceptive, or designed to limit or harm the functionality of the Solutions or any other service or device or use experience; (4) promote harassment, bigotry, racism, hatred or harm against any group or individual or promotes discrimination based on race, gender, religion, nationality, disability, sexual orientation, or age; (5) be inappropriate, offensive indecent, obscene, pornographic, hateful, tortious, untruthful, inaccurate, defamatory, slanderous, or libelous; (6) promote any political agenda; (7) facilitate or promote violence or illegal activity; or (8) cause damage or injury to any person or property. Provider reserves the right, without liability or prejudice to its other rights to Customer, to remove or disable access to any material that breaches this Agreement; provided, however, Provider will have no obligation to screen, verify, censor, or disable access to such material.

f.

Customer will comply with Provider’s technical requirements for the Solutions. Customer is responsible for controlling access to and use of the Solutions in accordance with this Agreement. Customer is responsible for maintaining the confidentiality of any non-public account or authentication credentials associated with Customer’s use of the Solutions. Customer will promptly notify Provider about any possible misuse of Customer’s account or authentication credentials, or any security incident related to the Solutions. Customer will ensure that Authorized Users comply with this Agreement. Customer will ensure that its network and systems comply with the relevant specifications provided by Provider from time to time; and be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to Provider’s data centers, and all problems, conditions, delays, delivery failures, and all other loss or damage arising from or relating to Customer's network connections or telecommunications links or caused by the internet.

g.

Customer acknowledges and agrees that Provider may access via the Solutions and/or obtain from Customer, information, assets, and services, including Customer Data and security access information, to facilitate Provider’s performance of its obligations, respond to support requests, detect, prevent, or otherwise address fraud, security, legal, or technical issues, verify Customer’s performance of its payment and other obligations hereunder, and enforce the terms and conditions of this Agreement. Customer further acknowledges and agrees that Provider may use Customer Data to provide notifications to Authorized Users regarding usage, including comparisons of usage between Authorized Users.

5. SUPPORT SERVICES. During the Term, Provider will support the Solutions in accordance with the applicable standard support policy for the Solutions then in effect, if any, unless otherwise set forth in the applicable Supplemental Terms and Conditions or Ordering Document.

6. PROFESSIONAL SERVICES. This Section 6 applies to Customer’s purchase of any Professional Services. Provider may offer and Customer may purchase Professional Services through an Ordering Document. For Professional Services engagements, Customer will, at its expense, provide Provider with secure remote access to its systems and network to the extent required to perform the Professional Services, which access must meet market-prevailing security standards applicable to the information and data accessed and any other security Provider may reasonably request. Throughout all Professional Services engagements, Customer will assign adequate personnel and resources and reasonably cooperate with Provider for completion of Professional Services as scheduled, including (i) assigning a project contact authorized to provide required decisions and approvals, (ii) providing timely, complete, and accurate responses to information requested by Provider. Provider will not be responsible for any incremental costs or damages resulting from a Professional Services performance delay caused by Customer’s failure to perform or timely perform any of its obligations. Customer will be charged at Provider’s then-current daily rates for any additional time needed by Provider to complete the Professional Services due to such delays. Unless expressly provided otherwise in an Ordering Document, any project extensions will be charged at Provider’s then-current daily rates.

7. PRIVACY AND SECURITY PROGRAM OVERVIEW. During the Term, Provider will comply with Provider’s applicable privacy policy for the Solution as set forth in the Supplemental Terms and Conditions. During the Term, Provider will comply with the Provider’s security program overview, which is available at www.elblearning.com/security-program-overview, for the Solutions. Provider agrees to use industry standard data security protocols, and other methods reasonably deemed to be adequate for securing business data, to maintain the administrative, physical, technical security, confidentiality, and integrity of Customer’s Data. Those safeguards will include measures for preventing unauthorized access, use, modification, or disclosure of Customer’s Data by Provider’s personnel, except (a) to provide the Solutions to Customer and prevent or address service or technical problems, (b) as compelled by law, or (c) as Customer or Authorized Users authorize through explicit written authorization, acceptance of terms, or configuration of application parameters or Solution settings. Notwithstanding the previous sentence, Customer agrees that during the course of providing the Solutions, Provider may collect and use technical and related information, including technical information about Customer’s computer system and application software, to facilitate the provision of updates to the Solutions, and support to Customer, and to verify compliance with the terms of this Agreement. Additionally, Provider may use any of this information, and in the event of system or Solution error, may share it with other persons, as long as it is in a form that does not personally identify Customer, to improve the Solutions.

8. FEES.

a.

Fees are specified in the applicable Ordering Document. Unless otherwise set forth in the Ordering Document, payment terms are net thirty (30) days from the date of invoice. All amounts payable to Provider under this Agreement will be paid by Customer to Provider in full without any setoff, recoupment, counterclaim, deduction, debit, or withholding for any reason. If Customer fails to make any payment when due, then in addition to all other remedies that may be available: (i) Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer will reimburse Provider for all reasonable costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs and collection agency fees; and (iii) Provider may suspend Customer’s access to the Solutions until all past due amounts and interest thereon have been paid, without incurring any obligation or liability to Customer by reason of such suspension.

b.

All fees are exclusive of any applicable taxes, levies, duties, or other similar exactions imposed by a legal, governmental, or regulatory authority in any applicable jurisdiction, including, without limitation, sales, use, value-added, consumption, communications, or withholding taxes (collectively, “Taxes”). Customer will pay all Taxes associated with this Agreement, excluding any taxes based on Provider’s net income, property, or employees. If Customer is required by applicable law to withhold any Taxes from payments owed to Provider, Customer will reduce or eliminate such withheld Taxes upon receipt of the appropriate tax certificate or document provided by Provider. Customer will provide Provider with proof of payment of any withheld Taxes to the appropriate authority. Taxes will be shown as a separate line item on an invoice.

9. TERM AND TERMINATION.

a.

This Agreement is effective as of the effective date of the initial Ordering Document and will continue until the expiration of the last Term, unless earlier terminated.

b.

If this Agreement terminates as a result of there being no active Ordering Document, this Agreement will automatically become effective again in the event that a new Ordering Document is entered into by and between the parties.

c.

Without prejudice to any other rights or remedies to which Provider may be entitled, Provider may at any time terminate this Agreement, any Ordering Document, and Customer’s access to any and all Solutions if Customer breaches any provision of this Agreement, if Provider is required to do so by law, or if Provider elects to discontinue the Solutions, in whole or in part, because it becomes impractical for Provider to continue offering the Solutions due to a change of law.

d.

Customer may terminate this Agreement, effective on written notice to Provider, if Provider materially breaches this Agreement, and such breach remains uncured thirty (30) days after Customer provides Provider with written notice of such breach.

e.

Upon any expiration or termination of this Agreement, except as expressly otherwise provided in this Agreement, (i) all rights, licenses, consents, and authorizations granted by Provider to Customer hereunder will immediately terminate; (ii) Customer will immediately cease all use of the Solutions and Documentation; (iii); and (iii) no portion of any prior payments will be repayable to Customer, and any and all payments due or to become due will be immediately due and payable. By the very nature of the Solutions and the way Customer uploads Customer Content to the Solutions and accesses Customer Data from the Solutions, Customer Content and Customer Data will not be retrievable from the Solutions following expiration of terminations of Term. Provider will either delete or irreversibly anonymize the Customer Content and Customer Data residing on its servers.

f.

Provisions that survive termination or expiration of this Agreement are those relating to confidentiality, limitation of liability, indemnification, payment, and others which by their nature are intended to survive. Without limiting the generality of foregoing, Sections 8 through 19 will survive expiration or termination of this Agreement.

10. PROPRIETARY RIGHTS.

a.

Provider acknowledges and agrees that, as between Provider and Customer, Customer owns all intellectual property rights in Customer Content and Customer Data. Customer acknowledges and agrees that, as between Provider and Customer, Provider owns all intellectual property rights in the Solutions and Documentation. Except as expressly stated in the Agreement, Provider does not grant Customer any rights to, or in, patents, copyrights, database right, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licenses in respect of the Solutions or Documentation. Any and all updates, enhancements, modifications, corrections, and derivative works that are made to the Solutions and Documentation will be owned by Provider.

b.

Provider may compile aggregate data, anonymous data, and other statistical information related to Customer’s use of the Solutions and may make such information publicly available, provided that such information does not incorporate Customer’s Confidential Information, Customer Content, or Customer Data that contains any personally identifiable information. Without limiting the generality of the foregoing, Provider may use in its marketing and advertising, non-Customer specific Service activity, including the total number of users, average time spent per user, success metrics, activities used by users and other performance-based statistics to attract new customers.

c.

Provider owns all intellectual property rights in such aggregate data, anonymous data, and other statistical information.

d.

Provider may use tools, scripts, software, and utilities (collectively, “Tools”) to monitor and administer the Solutions and to help resolve service requests. The Tools will not collect, report, or store any Customer Data residing in the service production environment, except as necessary to monitor and administer the Solutions and to help resolve service requests. Data collected by the Tools (excluding production data) may also be used to analyze certain information about the actual use of the Solution by the Customer (such as pages viewed, links clicked, help functions used, and other workflow information); such data shall not be considered Confidential Information of Customer hereunder, and may be used by the Provider for assisting in managing Provider' product and service portfolio, error resolution, product analytics and improvement, and for license administration and management. Provider and its licensors own all intellectual property rights in such Tools; and Provider owns all intellectual property rights in such resulting data.

e.

Customer acknowledges and agrees that Provider owns all rights to any feedback provided to Provider, including any survey responses, bug reports, enhancement requests, issue reports, and support information; and Provider will be free to use such feedback for any purpose.

11. CONFIDENTIALITY. Each party will maintain as confidential and will not disclose (except to its employees, accountants, attorneys, advisors, affiliates, consultants, outsourcers and third party service providers of recipient with a need to know in connection with recipient’s performance under this Agreement, and who have been advised of the obligation of confidentiality hereunder), copy or use for purposes other than the performance of this Agreement, any information which relates to the other party’s business affairs, trade secrets, technology, research, development, pricing or terms of this Agreement (“Confidential Information”) and each party agrees to protect all received Confidential Information with the same degree of care that it would use with its own Confidential Information and to prevent unauthorized, negligent or inadvertent use, disclosure or publication thereof. Breach of this Section 11 may cause irreparable harm and damage. Thus, in addition to all other remedies available at law or in equity, the disclosing party will have the right to seek equitable and injunctive relief, and to recover the amount of damages (including reasonable attorneys’ fees and expenses) incurred in connection with such unauthorized use. The recipient will be liable to the disclosing party for any use or disclosure in violation of this Section 11 by recipient or its affiliates, employees, third party service providers or any other related party. Confidential Information will not include information that (i) is already known prior to the disclosure by the owning party; (ii) is or becomes publicly known through no breach of this Agreement; (iii) is independently developed without the use of the other party’s Confidential Information and evidence exists to substantiate such independent development; (iv) information that is obtained from a third party, and that third party is not, in good faith belief of the recipient, under any legal obligation of confidentiality; or (v) the recipient receives written permission from the disclosing party for the right to disclose any Confidential Information.

12. PUBLICITY. Neither party will, except as otherwise required by applicable law, issue or release any announcement, statement, press release, or other publicity or marketing materials relating to this Agreement or otherwise use the other party’s name or trademarks without the prior written consent of the other party; provided, however, that Provider may identify Customer as a recipient of Solutions and use Customer’s logo in websites, sales presentations, marketing materials, and press releases; (ii) to develop a brief customer profile for use by Provider on Provider’s websites for promotional purposes; and (iii) use the email addresses of Authorized Users for the purpose of communicating program enhancements and information about Provider’s other products and services during the term of the Agreement.

13. REPRESENTATIONS AND WARRANTIES.

a.

Each party represents and warrants to the other party that: (i) it is duly organized, validly existing and in good standing as a corporation or other entity under the laws of the jurisdiction of its incorporation or other organization; (ii) it has the full right, power and authority to enter into and perform its obligations and grant the rights, licenses, consents and authorizations it grants or is required to grant under this Agreement; (iii) the execution of this Agreement by its representative whose signature is set forth at the end of this Agreement has been duly authorized by all necessary corporate or organizational action of such party; and (iv) when executed and delivered by both parties, this Agreement will constitute the legal, valid and binding obligation of such party, enforceable against such party in accordance with its terms.

b.

Provider warrants that: (a) the Subscription Services will perform in material conformity with the functions described in the applicable Documentation during the applicable Term of the applicable Subscription Services; and (b) the Licensed Products will perform in material conformity with the functions described in the applicable Documentation for thirty (30) days after delivery. Provider will use commercially reasonable efforts to remedy any material non-conformity of the Subscription Services or the Licensed Products that is discovered and made known to Provider by Customer during the applicable warranty period. If Provider is unable to remedy such material non-conformity within thirty (30) days or such other commercially reasonable period agreed between the parties, and the non-conformity materially and adversely affects the functionality of the Subscription Services or the Licensed Products, Customer may terminate the applicable Term of the Subscription Services or the Licensed Products and receive a refund of the unused portion of any fees that Customer has previously prepaid to Provider for the terminated Subscription Services or the Licensed Products. This Section 13(b) contains Customer’s sole and exclusive remedy, and Provider’s entire liability, for any breach of Provider’s warranties.

14. DISCLAIMER. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 13, PROVIDER MAKES NO, AND HEREBY DISCLAIMS ALL, WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE, AND WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, USAGE OR TRADE PRACTICE. WITHOUT LIMITING THE FOREGOING, PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE SOLUTIONS OR DOCUMENTATION, OR ANY RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY OTHER PRODUCTS OR SERVICES, OR BE ACCURATE, COMPLETE OR ERROR FREE. PROVIDER WILL NOT BE RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR ANY OTHER LOSS OR DAMAGE RESULTING FROM THE TRANSFER OF DATA OVER COMMUNICATIONS NETWORKS AND FACILITIES, INCLUDING THE INTERNET, AND CUSTOMER ACKNOWLEDGES THAT THE SOLUTIONS MAY BE SUBJECT TO LIMITATIONS, DELAYS AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. PROVIDER WILL NOT BE RESPONSIBLE FOR ANY LOSS, DESTRUCTION, ALTERATION, OR DISCLOSURE OF CUSTOMER CONTENT OR CUSTOMER DATA CAUSED BY ANY THIRD PARTY, TO THE MAXIMUM EXTENT PERMITTED BY LAW. ALL THIRD-PARTY PRODUCTS AND SERVICES THAT ARE SEPARATELY LICENSED BY A THIRD PARTY ARE PROVIDED "AS IS" AND ANY REPRESENTATION OR WARRANTY OF OR CONCERNING ANY THIRD-PARTY PRODUCTS OR SERVICES IS STRICTLY BETWEEN CUSTOMER AND THE THIRD-PARTY OWNER OR DISTRIBUTOR OF THE THIRD-PARTY MATERIALS. TRANSLATIONS OF THE SOLUTIONS OR DOCUMENTATION INTO LANGUAGES OTHER THAN ENGLISH ARE INTENDED SOLELY AS A CONVENIENCE. SOME SOLUTIONS OR DOCUMENTATION MAY NOT WORK AS EXPECTED WHEN TRANSLATED DUE TO LANGUAGE RESTRICTIONS. NO LIABILITY IS ASSUMED BY PROVIDER FOR ANY ERRORS, OMISSIONS, OR AMBIGUITIES IN TRANSLATIONS. THE SOLUTIONS ARE NOT DESIGNED OR INTENDED FOR USE IN MEDICAL, NUCLEAR, AVIATION, NAVIGATION, MILITARY OR OTHER HIGH-RISK ACTIVITIES WHERE FAILURE OF THE SOLUTIONS COULD RESULT IN DEATH, PERSONAL INJURY, AND/OR SUBSTANTIAL PROPERTY DAMAGE. PROVIDER EXPRESSLY DISCLAIMS AND IS RELEASED FROM ANY RESPONSIBILITY OR LIABILITY FOR ANY AND ALL DAMAGES THAT MAY BE INCURRED DUE TO THE USE OF THE SOLUTIONS FOR SUCH APPLICATIONS. PRE-RELEASE, BETA, TRIAL, AND FREE PRODUCTS AND SERVICES, IF ANY, ARE PROVIDED “AS-IS” AND “AS-AVAILABLE.”

15. LIMITATION OF LIABILITY.

a.

IN NO EVENT WILL PROVIDER BE LIABLE TO CUSTOMER OR ANY OTHER PARTY FOR DAMAGES FOR LOSS OF DATA, LOST PROFITS, OR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IS NEGLIGENT. THE CUMULATIVE LIABILITY OF PROVIDER TO CUSTOMER FOR ALL CLAIMS ARISING UNDER OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT, OR OTHERWISE, WILL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID TO PROVIDER FOR THE SPECIFIC SOLUTION GIVING RISE TO THE LIABILITY UNDER THE APPLICABLE ORDERING DOCUMENT WITHIN THE YEAR IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO THE LIABILITY.

b.

Notwithstanding anything to the contrary set forth in this Agreement, Provider will have no obligation or liability, including (without limitation) with respect to support, warranties, indemnification, or otherwise in connection with any: (i) unauthorized use of any Solutions or Documentation; (ii) any Solutions or Documentation that is altered, damaged, or modified by Customer or any third party; (iii) any Solutions or Documentation that is not the then current release available from Provider; (iv) problems caused by Customer's or any third party’s negligence, hardware malfunction, or other causes beyond the control of Provider; (v) any Solutions accessed on a hardware or operating system environment that is not supported by Provider; (vi) the combination, operation, or use of any Solutions with other product(s) or service(s) not supplied by Provider; (vii) pre-release, beta, trial, or free Solutions; (viii) Customer Content, Customer Data, or any other technology, materials or information provided by Customer or any third party; or (ix) any actions taken by Provider at Customer’s direction.

16. INDEMNIFICATION.

a.

If a third-party claims that a Solution infringe any U.S. patent, copyright, or trade secret, Provider will defend Customer against such claim at Provider’s expense and pay all damages finally awarded through judgment or settlement, provided that Customer promptly notifies Provider in writing of the claim, allows Provider sole control of the defense and/or settlement, and cooperates with Provider in, the defense or settlement of such action. If such a claim is made or appears possible, Provider may, at its option, secure for Customer the right to continue to use the Solution, modify or replace the Solution so that the Solution is non-infringing, or, if neither of the foregoing options is available in Provider’s reasonable opinion, terminate this Agreement and refund to Customer any unamortized prepaid fees for use of the Solution. THIS PARAGRAPH STATES PROVIDER’S ENTIRE OBLIGATION TO CUSTOMER WITH RESPECT TO ANY CLAIM OF INFRINGEMENT.

b.

Customer will indemnify, defend and hold harmless Provider and its officers, directors, employees, agents, successors and assigns from and against any and all claims, losses, liabilities, damages, causes of action, suits, expenses, and costs (including reasonable attorneys and expert witness fees) which result from or arise out of a claim by a third party that, if true, would constitute a breach of any representation, warranty, or covenant made by Customer hereunder; or relating to Customer Content, Customer Data, or any other materials or information provided by or on behalf of Customer, including without limitation: (a) claims by Authorized Users; (b) claims related to unauthorized disclosure or exposure of personally identifiable information or other private information by Customer; (c) claims related to infringement or violation of any applicable law; and (d) claims that use of the Solutions through Customer’s account harasses, defames, or defrauds a third party or violates the CAN-Spam Act of 2003 or any other law or restriction on electronic advertising.

17. ALLOCATION OF RISK. Customer acknowledges and agrees that Provider has set its prices and entered into the Agreement in reliance upon the disclaimers of warranty and the limitations of liability in this Agreement, that the same reflect an allocation of risk between Provider and Customer (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between Provider and Customer. If Customer is subject to applicable laws that prohibit Customer from indemnifying Provider as set forth herein or prohibit Customer from entering into the risk allocation arrangement set forth herein, then (a) the terms of such provisions of this Agreement shall apply to Customer only to the fullest extent permitted by applicable law, it being understood that Customer and Provider each wish to enforce the provisions of this Agreement to the maximum extent permitted by applicable law; and (b) Customer must, within thirty (30) days of the commencement of the Term, notify Provider to specifically identify the applicable laws that apply to Customer and the resulting modifications to the risk allocation and indemnification provisions of this Agreement as a result of the application of such applicable laws.

18. THIRD PARTY PRODUCTS AND SERVICES. The Solutions may contain features and functionalities linking Customer or providing Customer with certain functionality and access to third party products and services, including content, websites, directories, servers, networks, systems, information, databases, applications, and software. Customer acknowledges that Provider is not responsible for such third-party products and services. Any terms associated with such third-party products and services are solely between Customer and the applicable third party.

19. GENERAL.

a.

RELATIONSHIP OF PARTIES. This Agreement will not be construed as creating an agency, partnership, joint venture, or any other form of association, for tax purposes or otherwise, between the parties, and the parties will at all times be and remain independent contractors. Except as expressly agreed by the parties in writing, neither party will have any right or authority, express or implied, to assume or create any obligation of any kind, or to make any representation or warranty, on behalf of the other party or to bind the other party in any respect whatsoever.

b.

ASSIGNMENT. This Agreement may not be assigned or transferred by Customer, whether by operation of law or otherwise, without Provider’s prior written consent.

c.

FORCE MAJEURE. Provider will have no liability to Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, work stoppage, strikes, lock-outs or other industrial disputes, failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation, or direction, accident, breakdown of plant or machinery, fire, flood, storm, tornado, technological, computer hardware or software errors, delays, or breakdowns, including those caused by attacks from unauthorized users who access the technological infrastructure, e.g., hackers, or default of sub-contractors or other third parties.

d.

WAIVER. A waiver of any right under this Agreement is only effective if it is in writing and it applies only to the party to whom the waiver is addressed and to the circumstances for which it is given. Unless specifically provided otherwise, rights arising under this Agreement are cumulative and do not exclude rights provided by law.

e.

SEVERABILITY. If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other provisions will remain in force. If any invalid, unenforceable or illegal provision would be valid, enforceable, or legal if some part of it were deleted, the provision will apply with whatever modification is necessary to give effect to the commercial intention of the parties.

f.

NOTICES. Any notice required to be given under this Agreement will be in writing and will be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address set out in this Agreement, or such other address as may have been notified by that party for such purposes, or sent by electronic mail to the other party’s address as set out in this Agreement or as the other party may specify in writing. A notice delivered by hand will be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post will be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by electronic mail will be deemed to have been received when the recipient acknowledges receipt of such notice.

g.

GOVERNING LAW AND DISPUTES. This Agreement and any dispute arising hereunder will be governed by and interpreted and construed in accordance with the laws of the State of Delaware, without reference to: (a) any conflicts of law principle that would apply the substantive laws of another jurisdiction to the parties’ rights or duties; (b) the 1980 United Nations Convention on Contracts for the International Sale of Goods; or (c) other international laws. The place of performance and exclusive jurisdiction for any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims) is the principal place of business of the Provider. The Uniform Computer Information Transactions Act or the United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement or purchases placed under it.

h.

EXPORT LAWS. Each party will (i) comply with applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designating countries, entities and persons (“Sanctions Targets”) and (ii) not directly or indirectly export, re-export or otherwise deliver Services to a Sanctions Target, or broker, finance or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that it is not a Sanctions Target or prohibited from receiving Services pursuant to this Agreement under applicable Laws, including Export Laws.

i.

GOVERNMENT USE. If Customer is a branch or agency of the U.S. Government, then use, duplication, or disclosure of the Solutions are subject to the restrictions set forth in this Agreement, except that this Agreement shall be governed by federal law.

j.

ANTI-CORRUPTION. Each Party acknowledges its obligation to comply with all applicable anti-corruption legislation and represents that, to its knowledge, no money or other consideration of any kind paid or payable under this Agreement or by separate agreement is, has been or will be used for unlawful purposes, including purposes violating anti-corruption laws, including making or causing to be made payments to any employee of either party or anyone acting on their behalf to assist in obtaining or retaining business with, or directing business to, any person, or securing any improper advantage.

k.

ENTIRE AGREEMENT. This Agreement is the complete and exclusive statement of the parties’ agreement and supersedes all proposals or prior agreements, oral or written, and all other communications between the parties relating to the subject matter hereof. If these General Terms and Conditions conflict with any of the terms or conditions of any Ordering Document, Supplemental Terms and Conditions, or Documentation, then the order of precedence will be: (i) Supplemental Terms and Conditions; (ii) General Terms and Conditions; (iii) the Ordering Document; and (iv) the Documentation; provided that a conflicting term in an Ordering Document will take precedence over the Terms and Conditions if the Ordering Document (a) is signed by an authorized representative of both parties, (b) expressly states that the parties intend to override or replace a provision of the Terms and Conditions that it overrides, and (c) identifies the particular provision in the Terms and Conditions being overridden or replaced. Any purchase orders issued by Customer will be deemed to be for Customer’s convenience only and, notwithstanding acceptance of such orders by Provider, will in no way change, override, or supplement this Agreement. This Agreement applies to the exclusion of any terms or conditions Customer seeks to impose or incorporate, or that might be implied by usage of trade, custom, practice, course of dealing, course of performance or otherwise. Any term or agreement related to the subject matter hereof or any change, addition, or modification to the terms of the Agreement shall be valid and enforceable only if it is made in writing as an amendment or addendum to the and executed by Customer and a duly authorized officer of Provider.

Supplemental Terms and Conditions:
Assert Library

If, and to the extent that the Solution includes the Asset Library, then these Supplemental Terms and Conditions apply.

A. Sections 1 and 2 of the General Terms and Conditions are hereby amended to add the following:

1. Purpose for Template‍

If, and to the extent that, the Licensed Product includes any template available in the Asset Library (“Template”), then the license to use such Template is limited to the creation of items for the following Purpose: Customer’s general business purposes, including but not limited to training and professional development, advertising, and marketing.

Customer may not distribute any stand-alone Template. See additional prohibited uses of Asset Library below.

Examples of permitted uses of a Template include training materials, printed materials, product packaging, presentations, film and video presentations, commercials, catalogs, brochures, promotional greeting cards, and promotional postcards.

Examples of prohibited uses of a Template include design template applications, website templates, eLearning templates, flash templates, business card templates, electronic greeting card templates, and brochure design templates.

2. Purpose for Cutout People

If, and to the extent that, the Licensed Product includes any cutout people available in the Asset Library (“Cutout People”), then the license to use such Cutout People is limited to the creation of items for the following Purpose: Customer’s general business purposes, including but not limited to training and professional development, advertising, and marketing.

Customer may not distribute any stand-alone Cutout People. See additional prohibited uses of Asset Library below.

Examples of permitted uses of Cutout People include training materials, printed materials, product packaging, presentations, film and video presentations, commercials, catalogs, brochures, promotional greeting cards, and promotional postcards.

Examples of prohibited uses of Cutout People include cutout applications and cutout libraries.

3. Purpose for Stock Asset

If, and to the extent that, the Licensed Product includes any stock image, vector, or video available in the Asset Library (“Stock Asset”), then the license to use such Stock Asset is limited to the creation of items for the following Purpose: Customer’s training and professional development.

Customer may not distribute any stand-alone Stock Asset. See additional prohibited uses of Asset Library below.

Examples of permitted uses of a Stock Asset include Customer’s eLearning, training and professional development, classroom training, instructor lead training, web-based training, online learning, mobile learning, course development, webinars, webcasts, self-paced learning, live online learning, pre-recorded classrooms, educational lectures, instructional design, k-12 and higher education, educational promotion, learning management systems, corporate universities, and other training courses.

Examples of prohibited uses of a Stock Asset include marketing, advertising, logo, social media, or any website purposes unrelated to Customer’s training and professional development.

4. Purpose for Music

If, and to the extent that, the Licensed Product includes any music available in the Asset Library (“Music”), then the license to use such Music is limited to the creation of audio-visual or audio content solely for the following Purpose: Customer’s training and professional development.

Customer may not:

i.

Substantively modify Music (e.g., modulate, remix, change tempo, key, etc.), provided that Customer may apply minor changes such as arranging Music with each other or cutting/ fading Music;

ii.

Reproduce, export, or otherwise embody Music in any physical items or devices for sale or free distribution where the Music are used outside of creative content permitted above; or

iii.

Use Music as a major part of audio-only content; use Music as a primary, defining, or important part of an item; use Music to increase the intrinsic value of an item; or use Music to influence a customer’s preference for a particular item.

Customer may not distribute stand-alone Music. See additional prohibited uses of Asset Library below.

Examples of permitted uses of Music include incidental use in Customer’s eLearning, training and professional development, classroom training, instructor lead training, web based training, online learning, mobile learning, course development, webinars, webcasts, self-paced learning, live online learning, pre-recorded classrooms, educational lectures, instructional design, k-12 and higher education, educational promotion, learning management systems, corporate universities, and other training courses.

Examples of prohibited uses of Music include marketing, advertising, logo, social media, or any website purposes unrelated to Customer’s training and professional development.

5. Purpose for Icon

If, and to the extent that, the Licensed Product includes any icon available in the Asset Library (“Icon”), then the license to use such Icon is limited to the creation of items for the following Purpose: Customer’s training and professional development.

Customer may not distribute any stand-alone Icon. See additional prohibited uses of Asset Library below.

Examples of permitted uses of an Icon include Customer’s eLearning, training and professional development, classroom training, instructor lead training, web-based training, online learning, mobile learning, course development, webinars, webcasts, self-paced learning, live online learning, pre-recorded classrooms, educational lectures, instructional design, k-12 and higher education, educational promotion, learning management systems, corporate universities, and other training courses.

Examples of prohibited uses of an Icon include marketing, advertising, logo, social media, or any website purposes unrelated to Customer’s training and professional development.

6. Additional Prohibited Uses of Asset Library, including Templates, Cutout People, Stock Images, Music, and Icons (each, “Asset”)

Customer may not:

a.

Use any Asset in any way that allows others to download, extract or redistribute the Asset as a standalone file;

b.

Use any Asset to create an item after expiration or termination of the Term;

c.

Stockpile, download, or otherwise store any Asset that is not used in any item during the Term;

d.

Make the Asset available for free download on a shared drive, service, software, or website for the purpose of exchanging, transferring, or distributing;

e.

Transfer, resell, sub-license, rent, donate, or otherwise transfer the Asset or rights to it to third parties;

f.

Establish conditions under which the Asset may be extracted from a product or content;

g.

Allow third parties access to the Asset for further use;

h.

Use the Asset to create an official logo, company name, trademark or otherwise register any intellectual property rights in and to the Assets with any governmental authority or non-governmental organization;

i.

Use the Asset in a way that infringes the Asset’s intellectual property rights or a third party’s trademark or that would lead to a complaint about deceptive advertising or unfair competition;

j.

Use the Asset for SPAM mailings;

k.

Use the Asset in a way that competes with Provider’s or its affiliates’ or their respective licensors’ businesses;

l.

Display, use, or post the Asset in a way that would lead to the conclusion that the model in the Asset approves of or endorses the items or services of any venture or trademark;

m.

Show a person depicted in the Asset in sensitive scenarios that could reasonably be considered offensive or unflattering to that person (e.g., related to mental and physical deficits, sexual or implied sexual activity or preferences, crime, physical or mental abuse or ailments);

n.

Use the Asset for pornographic, illegal, or immoral purposes;

o.

Use the Asset in items or products that could embarrass or humiliate a person or model in the Asset;

p.

Use the Asset for advertisement or promotion of tobacco or alcohol products.

q.

Display, use, or post the Asset in a way that would lead to the conclusion that the model in the Asset approves of or endorses any political party, policy, candidate, or elected official.

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support for assistance in the use of the Licensed Product at https://knowledgebase.elblearning.com/.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Policy: Privacy Policy is available at www.elblearning.com/privacy-policy.

Supplemental Terms and Conditions:
CenarioVR®

If, and to the extent that the Solution includes CenarioVR, then these Supplemental Terms and Conditions apply.

A. Section 1 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s general business purposes, including but not limited to training and professional development

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support for assistance in the use of the Subscription Service at https://knowledgebase.elblearning.com/.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Policy: Privacy Policy is available at www.elblearning.com/privacy-policy.

Supplemental Terms and Conditions:
CourseMill® Hosted (Subscription Services) and/or On-Premises, Enterprise Version (Licensed Product)

If, and to the extent that, the Solution includes CourseMill® Hosted (Subscription Services) and/or On-Premises, Enterprise Version, then these Supplemental Terms and Conditions apply.

A. Sections 1 and 2 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s general business purposes, including but not limited to training and professional development

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:Provider shall provide Customer with access to support for assistance in the proper use of the Subscription Services and/or the installation and use of the Licensed Product at https://knowledgebase.elblearning.com/. For the on-premises, licensed version of CourseMill®, an on-going support and maintenance contract may be required. Please contact your account representative for details.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Policy: Privacy Policy is available at www.elblearning.com/privacy-policy.

Supplemental Terms and Conditions:
Lectora® Online (Subscription Services) and/or Desktop (Licensed Product)

If, and to the extent that, the Solution includes Lectora Online and/or Desktop, then these Supplemental Terms and Conditions apply.

A. Sections 1 and 2 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s general business purposes, including but not limited to training and professional development

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support for assistance in the proper use of the Subscription Services and/or the installation and use of the Licensed Product at https://knowledgebase.elblearning.com/.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Policy: Privacy Policy is available at www.elblearning.com/privacy-policy.

D. The General Terms and Conditions are hereby amended to add the following:

The Licensed Product includes certain open-source software or code developed by The Apache Software Foundation and governed by the Apache License version 2.0 found at www.apache.org/licenses/. Use of the Desktop Software in accordance with this Agreement without modification will not impose any affirmative obligations on Customer under such license.

Supplemental Terms and Conditions:
Rehearsal

If, and to the extent that the Solution includes Rehearsal, then these Supplemental Terms and Conditions apply.

A. Section 1 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s training and professional development

Authorized User: An employee, agent, or independent contractor of Customer who are designated by Customer via the Subscription Services as “Primary Administrator”, “Author”, “Mentor”, or “Learner”. The Primary Administrator is designated by the Customer during the Subscription Service setup process. The Primary Administrator(s) and Author(s) may access the authoring tools to populate the tools with Customer Content and to invite Mentors and Learners to access the tools via the Subscription Services. The Primary Administrator(s) and Author(s) may view the tool’s analytics dashboard via the Subscription Services if purchased, and as permissions have been granted by the Primary Administrator(s), within the Subscription Services. The Primary Administrator(s), Author(s), Mentors(s) and Learner(s) may view the tool’s leaderboard via the Subscription Services, as permissions are granted within the Subscription Services. The Learner(s) and Mentor(s) may access assigned tools, as provided to them by the Primary Administrator(s) and Author(s) via the Subscription Services.

Authorized User(s), up to the number indicated in the Ordering Document, whether such is uniquely identified through a data field (such as an email address, or personally identifiable number as designated by purchased SSO integrations), may access the tools as identified in the Subscription Services, and, if purchased, during the Term in the Territory in accordance with this Agreement for the fee indicated in the Ordering Documents. All Authorized User(s) uniquely identified through a data field such as described herein are counted as a Seat once during the Term.

B. Section 5 of the General Terms and Conditions is hereby amended to add the following: Provider shall provide Customer with access to support for assistance in the use of the Subscription Service at https://knowledgebase.elblearning.com/.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Policy: Privacy Policy is available at www.elblearning.com/privacy-policy.

Data Processing Addendum: If Customer’s use of Rehearsal involves processing personal data pursuant to Regulation 2016/679 (GDPR) and/or transferring personal data outside the United Kingdom, the European Economic Area, or Switzerland to any country not deemed by the UK Information Commissioner’s Office or European Commission as providing an adequate level of protection for personal data or applicable personal data regulations, then the Data Processing Addendum shall apply to such processing and are hereby incorporated by reference. For the purposes of the Standard Contractual Clauses in Schedule 3 to the Data Processing Addendum, Customer is the data exporter, and Customer’s acceptance of the Ordering Document shall be treated as Customer’s signature of the Standard Contractual Clauses and appendices. For purposes of compliance with the EU General Data Protection Regulation, Customer is the Data Controller and Provider is the Data Processor. If Provider is required by a third-party to remove Customer Data or receives information that Customer Data may violate applicable law or third-party rights, Provider may so notify Customer and in such event, Customer will promptly remove data from Provider’s systems. If Customer does not take required action in accordance with the above, Provider may disable the applicable data, remove such Customer Data from Provider’s system, and/or Subscription Service until the potential violation is resolved.

If, and to the extent that, the Solution includes the Rehearsal Beta (“Beta Feature”), then these Supplemental Terms and Conditions apply.

D. Subject to the terms and conditions set forth in the Agreement, Provider hereby grants, and Customer hereby accepts, a non-exclusive, non-sublicensable, non-transferable, revocable, limited, right to permit Authorized Users to access and use the Beta Feature solely for the Purpose (as defined below), in accordance with any Documentation in the Territory during the Beta Period (as defined below).

Purpose: Training and professional development of Customer’s employees.

Beta Period: the period beginning on the date the Beta Feature was first made available to Customer and continuing until the earlier of the date on which the Provider (a) begins charging for the functionality as a stand-alone feature, or (b) in its sole discretion, removes the Beta designation.

Access to the Beta Feature will be free during the Beta Period. Provider does not make any commitment to provide the Beta Feature in any future versions of the Solutions. Provider may immediately and without notice remove the Beta Feature for any reason without liability to Customer.

E. The Beta Feature includes AI Functionality (as defined below)

AI Functionality: large language models (LLMs) or other machine learning or artificial intelligence (“AI”) functionality of the Beta Feature.

Customer may submit Customer Data (including in the form of prompts, queries, or files) to the AI Functionality (“Inputs”) and receive outputs from the AI Features (“Outputs”).

1. Training
‍
Provider may not use Inputs or Outputs to train or otherwise improve AI Functionality, except solely for the benefit of Customer.

2. Intellectual Property

a.

Except for Provider’s express rights in the Agreement, as between the parties, Customer retains all intellectual property and other rights in Customer’s Inputs and Outputs as Customer Data.

b.

Customer acknowledges that Outputs provided to Customer may be similar or identical to Outputs independently provided by Provider to others.

c.

Provider disclaims infringement liability for Outputs. Outputs are generated through machine learning processes and are not tested, verified, endorsed or guaranteed to be accurate, complete or current by Provider. Customer should independently review and verify all Outputs as to appropriateness for any and all Customer use cases and applications.

3. Third-Party Providers and Terms

a.

Customer acknowledges that the following third parties provide the AI Functionality: OpenAI LLC (“Third-Party Provider”).

b.

Customer acknowledges that Third-Party Provider is a subprocessor engaged in processing Customer Data.

c.

Customer agrees to abide by Third-Party Provider’s terms and conditions relating to the AI Functionality at https://openai.com/policies (“Third-Party Terms”).

4. Special Restrictions on Use of AI Functionality

a.

Without limiting any restrictions on use of the Solutions in the Agreement, Customer will not and will not permit anyone else to:

i.

use the AI Functionality or any Output to infringe any third-party rights,

ii.

use the AI Functionality or any Output to develop, train or improve any AI or ML models,

iii.

represent any Output as being approved or vetted by Provider or Third-Party Provider,

iv.

represent any Output as being an original work or a wholly human-generated work,

v.

use the AI Functionality for automated decision-making that has legal or similarly significant effects on individuals, unless it does so with adequate human review and in compliance with Laws, or

vi.

use the AI Functionality for purposes or with effects that are discriminatory, harassing, harmful or unethical.

b.

Customer acknowledges and agrees that the AI Functionality is subject to certain restrictions in their use, particularly concerning decision-making processes. Customer shall ensure that the AI Functionality is not used as the sole basis for making decisions that could significantly affect the rights and freedoms of individuals, especially in contexts related to employment, credit eligibility, healthcare decisions, insurance underwriting and claims, or any other decision-making processes that could lead to legal or significant personal impacts.

5. Compliance with Laws and Regulations

a.

Customer agrees to use the AI Functionality in compliance with all applicable local, state, national, and international laws and regulations, including but not limited to those pertaining to data protection, privacy, non-discrimination, and employment.

b.

Customer is responsible for ensuring that the use of AI Functionality in decision-making processes adheres to all relevant legal standards and ethical guidelines, including obtaining necessary consents and providing requisite disclosures and explanations to affected individuals.

c.

Customer is responsible for complying with its own policies, including any AI policy

6. Review and Attribution

Customer commits to manually reviewing each generation of Output before sharing or streaming and to accurately attribute the content. Additionally, Customer shall clearly indicate that the content is AI-generated in a way that no user could reasonably miss or misunderstand. Customer agrees to adhere to the specific requirements and conditions set forth in the Third-Party Terms regarding the sharing of content on social media, livestreaming, demonstrations, and the publication of content.

7. Modification and Termination

These Supplemental Terms may be modified in response to evolving technology, legal changes, or amendments in Third-Party Terms. In the event of any breach of these Supplemental Terms by Customer, Publisher reserves the right to discontinue the provision of the AI Functionality to the Customer immediately.

F. DISCLAIMER. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, ALL BETA FEATURES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WITHOUT ANY PERFORMANCE OBLIGATIONS, AND PROVIDER SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE BETA FEATURES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE PROVIDER’S LIABILITY WITH RESPECT TO THE BETA FEATURES SHALL NOT EXCEED $100.00.

G. Provider shall not be liable for any claim, damage, or loss arising from the Customer's use of any Beta Feature in violation of the Agreement.

H. Customer agrees to indemnify and hold harmless Provider from any claims, damages, losses, costs, or expenses incurred as a result of the Customer's use of any Beta Feature, including AI Functionality, Inputs, or Outputs.

I. Any Customer Data entered, used, or generated with the Beta Features may be permanently lost without notice during the Beta Period.

Supplemental Terms and Conditions:
ReviewLink®

If, and to the extent that, the Solution includes ReviewLink®, then these Supplemental Terms and Conditions apply.

A. Section 1 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s general business purposes, including but not limited to training and professional development

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support for assistance in the use of the Subscription Service at https://knowledgebase.elblearning.com/.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Data Privacy: Privacy Policy is available at www.elblearning.com/privacy-policy.

Supplemental Terms and Conditions:
Rockstar Learning Platform

If, and to the extent that, the Solution includes the Rockstar Learning Platform, then these Supplemental Terms and Conditions apply.

A. Section 1 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s general business purposes, including but not limited to training and professional development

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support for assistance in the use of the Subscription Service at https://knowledgebase.elblearning.com/.

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Data Privacy: Privacy Policy is available at www.elblearning.com/privacy-policy.

Supplemental Terms and Conditions:
The Studio MicroBuilder™

If, and to the extent that, the Solution includes The Studio MicroBuilder, then these Supplemental Terms and Conditions apply.

A. Sections 1 and 2 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s general business purposes, including but not limited to training and professional development

B. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support for assistance in the proper use of the Subscription Services and/or the installation and use of the Licensed Product at https://knowledgebase.elblearning.com/

C. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Privacy: Privacy Policy is available at www.elblearning.com/privacy-policy.

If, and to the extent that, the Solution includes The Studio MicroBuilder Beta feature (“Beta Feature”), then these Supplemental Terms and Conditions apply.

D. Subject to the terms and conditions set forth in the Agreement, Provider hereby grants, and Customer hereby accepts, a non-exclusive, non-sublicensable, non-transferable, revocable, limited, right to permit Authorized Users to access and use the Beta Feature solely for the Purpose (as defined below), in accordance with any Documentation in the Territory during the Beta Feature Period (as defined below).

Purpose: Training and professional development of Customer’s employees.

Beta Feature Period: the period beginning on the date the Beta Feature was first made available to Customer and continuing until the earlier of the date on which the Provider (a) begins charging for the functionality as a stand-alone feature, or (b) in its sole discretion, removes the Beta designation.

Access to the Beta Feature will be free during the Beta Feature Period. Provider does not make any commitment to provide the Beta Feature in any future versions of the Solutions. Provider may immediately and without notice remove the Beta Feature for any reason without liability to Customer.

E. The Beta Feature includes AI Functionality (as defined below)

AI Functionality: large language models (LLMs) or other machine learning or artificial intelligence (“AI”) functionality of the Beta Feature.

Customer may submit Customer Data (including in the form of prompts, queries, or files) to the AI Functionality (“Inputs”) and receive outputs from the AI Features (“Outputs”).

1. Training

Provider may not use Inputs or Outputs to train or otherwise improve AI Functionality, except solely for the benefit of Customer.

2. Intellectual Property

a.

Except for Provider’s express rights in the Agreement, as between the parties, Customer retains all intellectual property and other rights in Customer’s Inputs and Outputs as Customer Data.

b.

Customer acknowledges that Outputs provided to Customer may be similar or identical to Outputs independently provided by Provider to others.

c.

Provider disclaims infringement liability for Outputs. Outputs are generated through machine learning processes and are not tested, verified, endorsed or guaranteed to be accurate, complete or current by Provider. Customer should independently review and verify all Outputs as to appropriateness for any and all Customer use cases and applications.

3. Third-Party Providers and Terms

a.

Customer acknowledges that the following third parties provide the AI Functionality: OpenAI LLC (“Third-Party Provider”).

b.

Customer acknowledges that Third-Party Provider is a subprocessor engaged in processing Customer Data.

c.

Customer agrees to abide by Third-Party Provider’s terms and conditions relating to the AI Functionality at https://openai.com/policies (“Third-Party Terms”).

4. Special Restrictions on Use of AI Functionality

a.

Without limiting any restrictions on use of the Solutions in the Agreement, Customer will not and will not permit anyone else to:

i.

use the AI Functionality or any Output to infringe any third-party rights,

ii.

use the AI Functionality or any Output to develop, train or improve any AI or ML models,

iii.

represent any Output as being approved or vetted by Provider or Third-Party Provider,

iv.

represent any Output as being an original work or a wholly human-generated work,

v.

use the AI Functionality for automated decision-making that has legal or similarly significant effects on individuals, unless it does so with adequate human review and in compliance with Laws, or

vi.

use the AI Functionality for purposes or with effects that are discriminatory, harassing, harmful or unethical.

b.

Customer acknowledges and agrees that the AI Functionality is subject to certain restrictions in their use, particularly concerning decision-making processes. Customer shall ensure that the AI Functionality is not used as the sole basis for making decisions that could significantly affect the rights and freedoms of individuals, especially in contexts related to employment, credit eligibility, healthcare decisions, insurance underwriting and claims, or any other decision-making processes that could lead to legal or significant personal impacts.

5. Compliance with Laws and Regulations

a.

Customer agrees to use the AI Functionality in compliance with all applicable local, state, national, and international laws and regulations, including but not limited to those pertaining to data protection, privacy, non-discrimination, and employment.

b.

Customer is responsible for ensuring that the use of AI Functionality in decision-making processes adheres to all relevant legal standards and ethical guidelines, including obtaining necessary consents and providing requisite disclosures and explanations to affected individuals.

c.

Customer is responsible for complying with its own policies, including any AI policy.

6. Review and Attribution

Customer commits to manually reviewing each generation of Output before sharing or streaming and to accurately attribute the content. Additionally, Customer shall clearly indicate that the content is AI-generated in a way that no user could reasonably miss or misunderstand. Customer agrees to adhere to the specific requirements and conditions set forth in the Third-Party Terms regarding the sharing of content on social media, livestreaming, demonstrations, and the publication of content.

7. Modification and Termination

These Supplemental Terms may be modified in response to evolving technology, legal changes, or amendments in Third-Party Terms. In the event of any breach of these Supplemental Terms by Customer, Publisher reserves the right to discontinue the provision of the AI Functionality to the Customer immediately.

F. DISCLAIMER. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, ALL BETA FEATURE FEATURES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WITHOUT ANY PERFORMANCE OBLIGATIONS, AND PROVIDER SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE BETA FEATURE UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE PROVIDER’S LIABILITY WITH RESPECT TO THE BETA FEATURE SHALL NOT EXCEED $100.00.

G. Provider shall not be liable for any claim, damage, or loss arising from the Customer's use of any Beta Feature in violation of the Agreement.

H. Customer agrees to indemnify and hold harmless Provider from any claims, damages, losses, costs, or expenses incurred as a result of the Customer's use of any Beta Feature, including AI Functionality, Inputs, or Outputs.

I. Any Customer Data entered, used, or generated with the Beta Feature may be permanently lost without notice during the Beta Feature Period.

Supplemental Terms and Conditions:
The Training Arcade®

If, and to the extent that, the Solution includes The Training Arcade, then these Supplemental Terms and Conditions apply.

A. Section 1 of the General Terms and Conditions is hereby amended to add the following:

Purpose: Customer’s training and professional development

Game Type: Customizable game template in The Training Arcade for the reinforcement, evaluation, and optimization of training, as set forth in the Ordering Document.

Game: Game Type populated with Customer Content via The Training Arcade.

Authorized User: An employee, agent, or independent contractor of Customer who are designated by Customer via the Subscription Services as “Primary Administrator,” “Author,” “Viewer/Facilitator,” or “Learner.” The Primary Administrator is designated by the Customer during the online setup process. The Primary Administrator and Author(s) may access the Game Type authoring tools to populate the Game Types with Customer Content and to invite Learners to access the Games via the Subscription Services. The Primary Administrator, Author(s), and Viewer(s)/Facilitator(s) may view the Game analytics dashboard and leaderboard via the Subscription Services. The Learners may access and play the Games as provided to them by the Primary Administrator or Author via the Subscription Services.

Learners (up to the number indicated in the Ordering Document, whether such Learner is uniquely identified through a data field such as an email address or unregistered playing anonymously) may access the Games and Arcades, if purchased, during the Term in the Territory in accordance with this Agreement for the fee indicated in the Ordering Documents. Learners uniquely identified through a data field such as an email address or employee ID # are counted only once during the Term. In anonymous gameplay, each session counts toward the Learner threshold.

B. Section 3 of the General Terms and Conditions is hereby amended to add the following:

All aspects of running challenges, contests, and other promotions and/or awarding, purchasing, and delivering prizes and incentives, including drafting rules and compliance with all contest, promotion, tax, and other applicable laws, are the sole responsibility of the Customer, and neither Provider nor its licensors bear any risk or responsibility thereunder.

Customer will not place a link to any functionality available from the Subscription Service onto a public-facing website or social media site.

C. Section 5 of the General Terms and Conditions is hereby amended to add the following:

Provider shall provide Customer with access to support personnel for assistance in the use of the Subscription Service as indicated at https://thetrainingarcade.com/faqs-the-training-arcade/.

D. Section 7 of the General Terms and Conditions is hereby amended to add the following:

Privacy Policy: Privacy Policy is available at https://thetrainingarcade.com/privacy-policy/

Data Processing Addendum: If Customer’s use of The Training Arcade involves processing personal data pursuant to Regulation 2016/679 (GDPR) and/or transferring personal data outside the United Kingdom, the European Economic Area, or Switzerland to any country not deemed by the UK Information Commissioner’s Office or European Commission as providing an adequate level of protection for personal data or applicable personal data regulations, then the Data Processing Addendum shall apply to such processing and are hereby incorporated by reference. For the purposes of the Standard Contractual Clauses in Schedule 3 to the Data Processing Addendum, Customer is the data exporter, and Customer’s acceptance of the Ordering Document shall be treated as Customer’s signature of the Standard Contractual Clauses and appendices. For purposes of compliance with the EU General Data Protection Regulation, Customer is the Data Controller and Provider is the Data Processor.

E. Section 9 of the General Terms and Conditions is hereby amended to add the following:

Post-Expiration Period: Commences on the date of expiration of the Term and expires three months thereafter, unless earlier terminated. During the Post-Expiration Period, subject to Customer’s payment of applicable fees as set forth in the Order Form and fulfillment of all other obligations under this Agreement, Learners will continue to have access to the single Learner (not multi-learner nor instructor-led) Games via The Training Arcade. During such Post Expiration Period, no other functionality for the Subscription Services will be available to the Customer, and nor will Provider have any support or other obligations in connection therewith. After the Post-Expiration Period, if any, or termination of this Agreement, Provider will have the right, without obligation, to disable Customer’s access to the Subscription Services, including links, and dispose of, or archive any of Customer Content and Customer Data in its possession. Such disposal will be in the form of anonymizing Customer Content and Customer Data.

F. If, and to the extent that, Customer is a Publisher (as defined below), the following applies:

“Publisher” means a Customer who purchases a Subscription for Publisher’s Primary Author and Publisher’s Author(s) to access the Game Type authoring tools to populate the Game Types with Customer Content and to invite all or a subset of Publisher Client’s Learners to access the Games via The Training Arcade; for the Publisher’s Primary Author, Publisher’s Author(s), Publisher’s Viewer Author(s), and Publisher Client’s Viewer Author(s) to view the Game analytics dashboard and leaderboard via The Training Arcade; and for the Publisher Client’s Learners to access and play the Games via The Training Arcade (“Publisher Rights”). Publisher may designate an employee, agent, and independent contractor of Publisher (but not Publisher Client) as Publisher’s Author and Publisher’s Primary Author. Publisher may designate employees, agents, and independent contractors of Publisher Client as Publisher’s Viewer Author(s) and Publisher’s Learners.

“Publisher Client” means a client of Publisher who enters into a written agreement with Publisher to have Publisher exercise Publisher Rights for such client.

“Customer Content” includes the questions, answers, images, videos, sounds, and other materials that the Publisher’s Primary Author or Publisher’s Author provides and populates in Game Types on behalf of Publisher Client for the purpose of facilitating internal training of Learners in accordance with this Agreement.

Publisher may exercise the Publisher Rights solely for Publisher Client’s non-commercial internal training purposes in the Territory during the applicable Term, provided however that Publisher must designate a unique subdomain for each Publisher Client. Accordingly, if Publisher wishes to have more than one (1) Publisher Client, then Publisher must purchase another Subscription for each additional Publisher Client and enter into separate agreements for each Subscription. Publisher will not permit any third party to access and play the Games, other than Publisher Client’s Learners.

Publisher represents and warrants that (a) it is authorized to act as Customer on behalf of Publisher Client and to bind Publisher Client to the terms and conditions of this Agreement; and (b) Publisher has and will have the necessary rights and consents from Publisher Client.

Contact Us

Data Processing Addendum to the Subscription and License Agreement

Updated June 12, 2024

SCHEDULE A - PERSONAL DATA DETAILS FOR SUBSCRIPTION SERVICES & LICENSED PRODUCTS

SCHEDULE B - TECHNICAL AND ORGANIZATIONAL MEASURES

SCHEDULE C – EEA, UK, AND SWITZERLAND TRANSFERS

Table of Contents

1. Subscription

2. License

3. Reserved Rights

4. Restrictions & Requirements

5. Support Services

6. Professional Services

7. Privacy & Security Program Overview

8. Fees

9. Term & Termination

10. Proprietary Rights

11. Confidentiality

12. Publicity

13. Representations And Warranties

14. Disclaimer

15. Limitation of Liability

16. Indemnification

17. Allocation of Risk

18. Third Party Products & Services

19. General

1. Asset Library

2. CenarioVR®

3. CourseMill®

4. Lectora® Online (Subscription Services) and/or Desktop (Licensed Product)

5. Rehearsal

6. ReviewLink®

7. Rockstar Learning Platform

8. The Studio MicroBuilder™

9. The Training Arcade®

1.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data. “Controller” includes equivalent terms in Data Protection Laws, such as the CCPA-defined terms “Business” or “Third Party,” as context requires.

2.

3.

4.

RESTRICTIONS AND REQUIREMENTS.

a.

b.

c.

d.

e.

f.

g.

5.

SUPPORT SERVICES. During the Term, Provider will support the Solutions in accordance with the applicable standard support policy for the Solutions then in effect, if any, unless otherwise set forth in the applicable Supplemental Terms and Conditions or Ordering Document.

6.

7.

8.

FEES.

a.

b.

9.

TERM AND TERMINATION.

a.

This Agreement is effective as of the effective date of the initial Ordering Document and will continue until the expiration of the last Term, unless earlier terminated.

b.

If this Agreement terminates as a result of there being no active Ordering Document, this Agreement will automatically become effective again in the event that a new Ordering Document is entered into by and between the parties.

c.

d.

Customer may terminate this Agreement, effective on written notice to Provider, if Provider materially breaches this Agreement, and such breach remains uncured thirty (30) days after Customer provides Provider with written notice of such breach.

e.

f.

10.

PROPRIETARY RIGHTS.

a.

b.

c.

Provider owns all intellectual property rights in such aggregate data, anonymous data, and other statistical information.

d.

e.

Customer acknowledges and agrees that Provider owns all rights to any feedback provided to Provider, including any survey responses, bug reports, enhancement requests, issue reports, and support information; and Provider will be free to use such feedback for any purpose.

11.

12.

13.

REPRESENTATIONS AND WARRANTIES.