DPA and GDPR Compliance

Please note: If you require a signed copy of the agreement, please request one via email to support@gonurture.com.

This Data Processing Agreement (“Agreement”) is an addendum to the Nurture add-in to Microsoft Teams Terms of Use.  The agreement details the rights and obligations of a User of Nurture and the software designer and owner Nurture (jumpAgrade Technology Ltd.), (together “the Parties”) with respect to the processing and security of Personal Data, as required for GDPR compliance.

When a User adds Nurture to their Microsoft Teams account the current Data Processing Agreement on Nurture' website applies. If a new feature is introduced to Nurture the Data Processing Agreement may be updated and will apply to the User’s use of those new features.

WHEREAS:

• The User acts as a Data Controller (the “Controller”).
• The Controller wishes to add Nurture to his Microsoft Teams account, which implies processing of Personal Data by Nurture (jumpAgrade Technology Ltd.), Heywoods,​ Castleconnell,​​ Co.​​Limerick, Ireland, acting as a Data Processor (the” Processor”).
• The Parties seek to implement a Data Processing Agreement that complies with the requirements of Art 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• Both Parties will comply with GDPR and applicable Data Protection Laws and regulations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this agreement shall have the following meaning:

“Agreement” means this Data Processing Agreement and Appendices A and B.

“Personal Data” means any Personal Data processed by the Processor on behalf of the Controller, pursuant to or in connection with the Processor Terms of Use.

“EEA” means the European Economic Area.

“Data Protection Laws” means EU/EEA Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

“GDPR” means EU General Data Protection Regulation 2016/679.

“Sub-processor” means other processors used by Nurture to process Controllers personal data in connection with the Service, for example to store the personal data.  

“Data transfer” means a transfer of Controller Personal Data to the Processor or a transfer of Controllers Personal Data to a Sub-processor.

The terms, “Controller”, “Processor” Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their related terms shall be interpreted accordingly.

2. Processing of Controllers Personal Data

The Processor shall process the Controller’s personal data only on documented instructions from the Controller, unless required to do so by national law to which the Processor is subject. The instructions shall be specified in Appendix A.

3. Confidentiality

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or any Sub-processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary for the purposes of the Processor service, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) (a-d) of the GDPR. Depending on their relevance, the measures may include the following:

1. the pseudonymisation and encryption of personal data.
2. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Use of Sub-processor

The Processor has the Controller’s general authorisation for the engagement of Sub-processors. The processor shall inform in writing the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 21 days in advance, thereby giving the Controller the opportunity to object to such changes. A list of sub-processors already authorised by the Controller can be found in Appendix B.

Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the agreement shall be imposed on that Sub-processor by way of an agreement.

6. Assistance to the Controller

Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers obligations, to respond to requests to exercise Data Subject rights under GDPR and other Data Protection Laws.

• If the Processor receives a request from a Data Subject to exercise one or more of its rights under the GDPR, it will be forward to the Controller at once.

The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments (DPIA) and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controllers Personal Data by, and taking into account the nature of, the processing and information available to the Processor.

7. Notification of Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller Personal Data. Such notification shall meet the Controller’s obligation to notify the competent Supervisory Authority and the Data Subject if applicable, and include that information a Processor must provide to a Controller under Art. 33 (3) of the GDPR to the extent such information is reasonably available to the Processor.  

The Controller shall immediately notify the Processor if he becomes aware of a Personal Data Breach or has any suspicion of a breach in connection with the use of Nurture.

8. Deletion or return of Personal Data

On termination of the Nurture service the Processor shall, at the choice of the Controller, delete or return all the personal data to the Controller and delete existing copies unless EU/EEA data protection or other state laws requires storage of the personal data. For more information about the process of the returning and deleting the personal data after termination of the service, see Terms of Use.

9. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and the Agreement, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10. Data Transfer

For Controllers covered by the GDPR the Processor may not transfer or authorize a transfer of Personal Data to countries outside the European Economic Area (EEA) without a prior written consent of the Controller. If Personal Data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

11. The rights and obligations of the Controller

The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (Art. 24), the applicable national Data Protection Laws and this Agreement.

The Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

The Controller shall be responsible for ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.

• Right to access: Users can access their information and the data Nurture store at anytime. Nurture will fully disclose what information is processed concerning them.
• Right of rectification: Users can edit their data in the Nurture application and update any of their information.
• Right of cancellation: Users can remove their information from the Nurture system by requesting their data to be permanently deleted from the system.
• Right to restrict processing: When Nurture are asking the user for additional information, if it is not required for the Nurture application to work, the user has the option to not provide the optional information. For each case Nurture would clearly outline what that information is used for in our processing.
• Right to data portability: Users can request an export of their data that Nurture have stored on them in the Nurture database.
• Right to object: Users can reject any permissions we are requesting to access data that Nurture want to sync from integration (such as Microsoft Teams or Google Classroom). The request for permission is prompted by the platform and, without consent, Nurture cannot access the information. For any optional requests, the user will have a clear option to reject the request. e.g. request to receive marketing emails.

12. Notices and updates

All notices and communications given by the Processor under this Agreement must either be in writing, published on the website or sent by email.

The Processor shall be notified by email sent to the address: support@gonurture.com

13. Governing Law

This agreement is governed by Irish laws and EU/EEA Data Protection Laws.

14. Commencement and duration

This agreement becomes effective when Controller adds Nurture in Microsoft Teams.

The Agreement shall apply for the duration of the Personal Data processing by Nurture (jumpAgrade Technology Ltd.) on behalf of the Controller.  

Appendix A: Information about Nurture add-in to Microsoft Teams processing

Nature of processing: The data processing performed by Nurture add-in to Microsoft Teams on behalf of the Controller relates to the service of Nurture (jumpAgrade Technology Ltd.). Nurture is an add-in dedicated to extending the functionality of Microsoft Teams for teachers and educators. Nurture provides functionality inside of Teams for teachers to store digital lesson resources, organise their daily work and share content with other teachers and students.

Purpose of processing: Enable Nurture Users to create, store and share with fellow teachers and pupils for example lessons plans, class lists and notes regarding students’ behaviour, learning progress and more.

Type of personal data:

• Name, E-mail address, Assessments and IP address (IP address is only recorded for security reasons).

Categories of Data Subjects:

Students, Teachers and other staff.

Appendix B: Sub-processor