1.  APPLICATION OF THIS ADDENDUM

1.1    The General Data Protection Regulation Addendum (“GDPR Addendum”) is incorporated by reference into each services agreement (“Agreement”) and all related orders for services, including Subscription Services between users of such services (“Customer”) and Teaching Strategies, LLC (“Processor”).  Teaching Strategies Agreements, including the Subscription Agreement, and Privacy Policy can be found at https://teachingstrategies.com/agreement-and-policies/

.

1.2   This GDPR Addendum supplements the Agreement and sets out the terms that apply when Customer Personal Data are Processed by Teaching Strategies under the Agreement. The purpose of the GDPR Addendum is to help ensure such Processing is conducted in accordance with Applicable Data Protection Laws and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.

.

2.  DATA PROCESSING TERMS AND DEFINITIONS

.

2.1.   For the purposes of this GDPR Addendum, the following terms have the following meanings unless the context otherwise requires. Other capitalized terms not defined herein will have the same meaning as set forth in the Agreement.

.

a.    “Applicable Data Protection Laws” means data protection laws in the United States, United Kingdom, and the European Union, including Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the  UK GDPR and the Data Protection Act 2018 (“General Data Protection Regulation” or “GDPR”).

b.    “Data” means all data, content, and information (including Personal Data) owned, held, used, or created by the Customer or on its behalf that is stored using, or inputted into, the Services, including the Customer Personal Data.

c.     “EEA” means the European Economic Area.

d.     “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

e.     “Customer Personal Data” means Personal Data that Teaching Strategies or its Sub-processors Process for or on behalf of Customer.

f.      “Personal Data” means any information relating to an identified or identifiable person.

g.     “Data Subject” means an individual whose Personal Data is being Processed under the Agreement.

h.     “Processing” means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure, or destruction.

i.      “Services” means any software or services Teaching Strategies provides to the Customer under the Agreement.

j.      “Standard Contractual Clauses” means collectively the EU Standard Contractual Clauses and the UK International Data Transfer Agreement.

k.     “Sub-Processor” means any person appointed by Teaching Strategies or on its behalf to Process Customer Personal Data on the Customer’s behalf in connection with the Underlying Agreement.

.

3.  PROCESSING OF CUSTOMER PERSONAL DATA

.

3.1    The Parties acknowledge and agree that with regard to the Processing of Customer Data, Customer is the Data Controller (“Controller”) and Teaching Strategies is a Data Processor (“Processor”). Teaching Strategies will Process Customer Data in accordance with Customer’s instructions as outlined in this section and in Section 5 (Data Processor’s Obligations).

.

3.2  Teaching Strategies will Process Customer Personal Data (i) in accordance with the Agreement; (ii) at the Customer’s request when accessing or using the Services; or (iii) to comply with other reasonable instructions of the Data Controller (e.g., via email or support tickets) that are consistent with the terms of this GDPR Addendum (individually and collectively, the “Purpose”). The types of Personal Data and categories of Data Subjects Processed under this GDPR Addendum, the subject-matter, nature, purpose, and duration of the Processing are further specified in Schedule 1 to this GDPR Addendum. If Customer’s Affiliates have purchased subscriptions to the Services directly with Teaching Strategies under the Agreement, then this GDPR Addendum amends the terms of the Agreement with respect to those subscriptions, and each such Affiliate shall be deemed to be the “Data Controller” for the purposes of this GDPR Addendum. Customer shall be responsible for coordinating all communications with Teaching Strategies and Customer’s Affiliates under this GDPR Addendum and shall be entitled to make and receive any communication in relation to the GDPR Addendum, on behalf of itself and its Affiliates.

.

4. DATA CONTROLLER

.

4.1   The Data Controller shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Applicable Data Protection Law. Customer’s instructions for the Processing of Customer Personal Data shall comply with Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained Customer Personal Data.

.

4.2  The Data Controller warrants that it has all necessary rights to provide the Customer Personal Data to the Data Processor for the Processing to be performed in relation to the Services. To the extent required by Applicable Data Protection Law, the Data Controller is responsible for ensuring that any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the Data Subject, Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and Data Processor remains responsible for implementing any Data Controller instruction with respect to the further Processing of Customer Personal Data that is consistent with the terms of this GDPR Addendum.

.

5.  DATA PROCESSOR’S OBLIGATIONS

.

5.1   To the extent the Data Processor Processes Customer Personal Data on behalf of the Data Controller, it shall:

a.     Process the Customer Personal Data only on documented instructions from the Data Controller in such manner as, and to the extent that, this is appropriate for the provision of the Services, including with regard to transfers of Personal Data to third countries, except as required to comply with applicable laws in the EEA, EEA member states, the UK, or Switzerland, to which the Data Processor is subject. In such a case, the Data Processor shall, to the extent legally permitted by those laws, inform the Data Controller of that legal obligation before Processing. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the data protection laws of the EEA, EEA member states, or the UK;

b.     ensure that all persons or parties authorized to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c.     at all times have in place an appropriate written security policy with respect to the Processing of Customer Personal Data, outlining in any case the measures referenced in Section 10 below.

.

5.2   Except as permitted by applicable law, the Agreement or this GDPR Addendum, Teaching Strategies shall not (1) retain, use, or disclose Customer Personal Data other than as needed to perform the Services; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Teaching Strategies; (3) “sell” or “share” (each as defined in Applicable Data Protection Law) Customer Personal Data; and (4) combine Customer Personal Data with any information other than Customer Personal Data unless otherwise required to deliver the Services. The Parties acknowledge and agree that the disclosure of Customer Personal Data by the Customer to Teaching Strategies does not form part of any monetary or other valuable consideration exchanged between the Parties. Teaching Strategies will comply with obligations applicable to it as a Data Processor under Applicable Data Protection Law and will provide Customer Personal Data with the same level of privacy protection as is required by the Applicable Data Protection Law. Customer has the right to take reasonable steps to ensure that Teaching Strategies uses Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Data Protection Law by exercising Customer’s audit rights in Section 8 of this GDPR Addendum. Teaching Strategies will inform Customer if it can no longer comply with its obligations under Applicable Data Protection Law. Upon notice to Teaching Strategies, Customer may take reasonable and appropriate steps to remediate Teaching Strategies’ use of Customer Personal Data in violation of this GDPR Addendum.

.

6.  DATA TRANSFER

.

6.1   To the extent possible, the Processor shall only transfer or authorize the transfer of Data to countries within the EU and/or countries subject to an adequacy decision, as provided for in art. 45 GDPR. If Personal Data processed under this Agreement is transferred from any country within the EU or any country subject to an adequacy decision to a country outside of this scope, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU- and/or UK- approved and then-current standard contractual clauses for the transfer of Personal Data or other transfer mechanisms as provided for by Data Protection Laws. Processor shall be authorized to perform such transfers to Subprocessors provided that adequate safeguards are implemented with regards to the nature of the transfer.

.

7.  DATA SUBJECT REQUESTS

.

7.1    Taking into account the nature of the processing, Processor shall reasonably assist Customer for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2   Processor shall:

a.     promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

b.     ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Processor responds to the request.

.

8.  PROCESSOR PERSONNEL

.

8.1    Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and/or to comply with Data Protection Laws and other relevant legislation in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

.

9.  SUBPROCESSORS

.

9.1    The Customer hereby grants Processor general written authorization to engage Processor’s Affiliates as Subprocessors to Process Customer Personal Data and authorizes Processor and its Affiliates to engage third-party Subprocessors in connection with the delivery of services under the Agreement, subject to the requirements of this Section 6. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the subprocessing by Processor for purposes of the Standard Contractual Clauses. Processor may engage new Subprocessors or may change Subprocessors from time to time. Processor will provide the Customer with notice by updating the Subprocessor list available here (and by providing the Customer with a mechanism to receive notice of such updates) of any new Subprocessor at least fifteen (15) days in advance of providing such Subprocessor with access to Customer Personal Data. Customer will have fourteen (14) days from the date of receipt of Processor’s notice to approve or reject the new Subprocessor on reasonable grounds. In the event of no response from the Customer, the Subprocessor will be deemed accepted. If the Customer notifies Processor of an objection to the new or replacement Subprocessor, the Parties will discuss Customer’s concerns in good faith to achieve a commercially reasonable resolution. If no such resolution can be reached, either Party may terminate the Processing of the Customer Personal Data with immediate effect, and without liability to either Party, on written notice to the other Party.

.

9.2   Processor shall enter into written agreements with its Subprocessors containing data protection obligations that provide at least the same level of protection for Customer Personal Data as under this GDPR Addendum and shall in particular impose on its Subprocessors the obligation to implement appropriate technical and organizational measures in such a manner that the subprocessing will meet the requirements of Applicable Data Protection Law. Where a Subprocessor fails to fulfil its obligations, Processor shall remain fully liable under the Applicable Data Protection Law to Customer for the performance of that Subprocessor’s obligations.

.

10. SECURITY & BREACH MANAGEMENT

.

10.1  Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, without prejudice to any other security standards agreed upon by the Parties, Customer and Processor shall implement appropriate technical and organizational measures for the protection of the security, confidentiality, and integrity of the Customer Personal Data appropriate to the risk in accordance with Appendix 1 of this GDPR Addendum.

.

10.2 Processor will regularly monitor the measures as implemented in accordance with this Section 10. Processor may update the security measures from time to time provided that such updates do not result in a degradation of the overall security of the Services.

.

10.3 When Processor becomes aware of a Personal Data Breach, it shall notify Customer at Customer’s notification email address about the Personal Data Breach without undue delay, shall provide commercially reasonable cooperation to the Customer, and shall take commercially reasonable steps to remediate the Personal Data Breach, if applicable, to the extent that remediation is within Processor’s control. At the Customer’s request, Processor will promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant Personal Data Breaches to the Regulators and/or affected Data Subjects, if Customer is required to do so under the Applicable Data Protection Law. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. The obligations of this Section 10.3 do not apply to Personal Data Breaches that are caused by the Data Controller, Users, and/or any products and services other than Data Processor’s.

.

10.4 Teaching Strategies will make reasonable efforts to identify the cause of that Breach Incident, notify the Customer within a timely manner to allow the Customer to meet its obligations to report a Breach Incident, and take steps Teaching Strategies considers necessary and reasonable to remediate the cause of the Breach Incident, to the extent remediation is within its reasonable control.

.

11. AUDIT & COMPLIANCE

.

11.1  Upon the Customer’s written request and with an executed Non-Disclosure Agreement, Processor shall provide a copy of its most current System and Organization Controls (SOC) II Type 2 Report no more than once annually so that Customer can reasonably verify Teaching Strategies compliance with its obligations under this GDPR Addendum.

.

11.2 To the extent the reports provided in Section 11.1 do not verify Processor compliance with its obligations under this GDPR Addendum, and subject to the audit requirements described in Clause 8 of the Standard Contractual Clauses, Customer may audit Processor compliance with this GDPR Addendum up to once per year, unless requested by a Supervisory Authority or in the event of a Security Incident. Such audit will be conducted by an independent third party (“Auditor”) reasonably acceptable to Processor. Processor will work cooperatively with Customer and Auditor to agree on a final audit plan in advance of the audit.  The results of the inspection and all information reviewed during such inspection will be deemed Processor’s confidential information and shall be protected by Auditor in accordance with the confidentiality provisions to be made between Processor and Auditor. Notwithstanding any other terms, the Auditor may only disclose to the Customer specific violations of the Addendum, if any, and the basis for such findings, and shall not disclose to Customer any of the records or information reviewed during the inspection. Customer shall give Processor at least sixty (60) days prior written notice of its intention to audit Processor pursuant to this Agreement. Audit shall be conducted during Processor’s business hours, shall not disrupt Processor’s operations, and shall ensure the protection of the Company’s, Processor’s, and other Data Subjects’ Personal Data.

.

12. DATA PROTECTION IMPACT ASSESSMENT

.

12.1  Upon Customer’s written request, taking into account the nature of the Processing and the information available to the Processor, the Processor shall provide Customer with reasonable cooperation and assistance to help the Customer fulfill its obligations (if applicable) under the Applicable Data Protection Law to (i) carry out a data protection impact assessment related to the Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and (ii) engage in prior consultations with Regulators as required under Article 36 of the GDPR or equivalent provision of the Applicable Data Protection Law.

.

13. RETURN AND DELETION OF DATA

.

13.1  Upon termination of this GDPR Addendum or upon fulfillment of the Purpose whereby no further Processing is required, Processor shall, at the request of Customer, either delete, destroy, or return all Customer Personal Data to the Customer and destroy or return any existing copies, except where otherwise required by applicable laws of the EEA, EEA member states, or the UK. The return of data may incur additional charges. Processor agrees to preserve the confidentiality of any retained Customer Personal Data and will only Process such Customer Personal Data after the date of termination in order to comply with those laws to which it is subject and to fulfill its obligations under this GDPR Addendum.

.

13.2 If Processor cannot delete all Customer Personal Data due to technical infeasibility, Processor will inform the Customer as soon as reasonably practicable and will take reasonably necessary steps to:

a.    perform a permanent deletion of Customer Personal Data, as is technically feasible;

.

b.    fully and effectively anonymize the remaining data; and

.

c.    make the remaining Customer Personal Data which is not deleted or effectively anonymized unavailable for future Processing.

.

14. CHANGES IN DATA PROTECTION LAWS

.

14.1  Processor may, on at least 30 days’ written notice to the Customer, from time to time, make any variations to this Addendum, which Processor considers (acting reasonably) are required as a result of any change in, or decision of a competent authority under Applicable Data Protection Law, to allow transfers and Processing of Customer Personal Data to continue without breach of Applicable Data Protection Law.

.

14.2 If the Customer objects to any variation on reasonable grounds, the Customer may, despite anything to the contrary in the Agreement, terminate the Agreement without penalty on written notice, provided the Customer’s notice of termination is received by Processor before the effective date of Processor’s notice. If the Customer does not terminate the Agreement in accordance with this clause, the Customer is deemed to have agreed to the variation.

.

15. LIMITATION OF LIABILITY

.

15.1  The liability of each party to the other party under or in connection with this Addendum is subject to the limitations and exclusions set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this Addendum together.

.

16. GENERAL

.

16.1  If any provision of this Addendum is or becomes unenforceable, illegal, or invalid for any reason, the relevant provision is deemed to be varied to the extent necessary to remedy the unenforceability, illegality, or invalidity. If variation is not possible, the provision must be treated as severed from this Addendum without affecting any other provisions of this Addendum.

.

17. Miscellaneous

.

17.1  Except as amended by this GDPR Addendum, the Agreement will remain in full force and effect.

.

17.2  If there is a conflict between the Agreement and this GDPR Addendum, the terms of this GDPR Addendum will control.

.

17.3  Any claims brought under this GDPR Addendum shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

SCHEDULE 1

.

DETAILS OF PROCESSING

.

Data Controller:

 

Customer Name: _____________________________________

 

Customer Address: ___________________________________

 

Contact Name: ______________________________________

 

Contact Title: ________________________________________

 

Contact Email: _______________________________________
Activities relevant to the data transferred:

.

Data Processor:

 

Teaching Strategies, LLC (Teaching Strategies)

80 M St. SE Suite 1010 Washington, DC 20003

Contact: Dmitry Finkler

Title: Director, Data Privacy & Security

Email: [email protected]
.

Teaching Strategies provides a cloud-based full-featured online assessment system and curriculum resources that make it easy to conduct authentic, ongoing assessment and instructional support for children from birth through third grade. Proven valid and reliable through extensive field testing, the assessment system and resources are based on 38 objectives for development and learning that help teachers evaluate children’s progress toward mastering the knowledge, skills, and abilities that matter most for school success.

.

Nature and Purpose of Processing

 

Teaching Strategies will Process Customer Personal Data as necessary to provide the Services in accordance with the Agreement, as further specified in Teaching Strategies’ documentation relating to the Services, and as further instructed by the Customer and its personnel and other end users the Customer allows to use the Services through the use of the Services.

.

Duration of Processing

 

Teaching Strategies will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

.

Categories of Data Subjects

 

.The personal data transferred concern the following categories of data subjects:

 

The Customer may submit Customer Personal Data to Teaching Strategies, the extent of which will be determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to, Customer Personal Data relating to the Customer’s students, teachers, staff, and parents/guardians who are natural persons.

.

Type of Customer Personal Data

 

The Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to, the following categories of personal data:

 

  • Subscribers: Organizations and Individual Subscribers are members that have purchased a subscription from Teaching Strategies to use the Services. Subscribers provide their full name, the name of their organization, their mailing and e-mail addresses, telephone number, and information regarding their method of payment (e.g., purchase order number).
  • Group Members: Program and Site Administrators and Teachers are members who register through a school, school district, childcare center, Head Start program, or other organization that has purchased a subscription from Teaching Strategies to use the Services. They provide Teaching Strategies with their full names and e-mail addresses.
  • Invited Guests: Invited Guests are Parents and Others who register to use the Services in response to an invitation from another registered member. They provide their full names and e-mail addresses.
  • Student Data is information that personally identifies a student and his or her Portfolio. The personally identifiable information includes first name, last name, date of birth, gender, language spoken, ethnicity, and, where applicable, State Student Identification Number. Student Data is stored in online Portfolios. Each Portfolio includes Documentation and student specific data.
  • Documentation: Teachers observe children in the classroom and gather documentation of their learning and development over the course of the year. Documentation can be notes, photos, videos, samples of children’s artwork, and observations from families about their child’s development.

.

Special categories of data (if appropriate)

 

The personal data transferred concern the following special categories of data:

 

The data exporter may submit special categories of data, the extent of which will be determined and controlled by the data exporter in the data exporter’s sole discretion, which may include, but is not limited to, the following categories of personal data:

  • [Customer to Complete]

.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

 

Teaching Strategies will process personal data according to its rights and perform its obligations under the Agreement.

.

SCHEDULE 2

 

List of sub-processors located at https://teachingstrategies.com/sub-processor-list/

 

Policy Reviewed on November 2025