Canadian Data Processing Addendum
Effective Date: May 25, 2022
This Canadian Data Processing Addendum (the “Canadian DPA“) is supplementary to and forms part of the Clever General Terms of Use, located here or such other successor URL), or other electronic or written agreement governing School’s use of the Services (the “Agreement“) and is subject to the provisions therein (including limitations of liability). This Canadian DPA applies where and to the extent that Clever processes School Personal Information that is subject to Canadian Data Protection Laws (as defined below) on behalf of a School (“you” or “your“). If you are not a School (as defined in the Agreement), this DPA does not apply to you. Except as they may be modified herein, the terms of the Agreement will continue in full force and effect as specified in the Agreement and will apply to this Canadian DPA. Capitalized terms not defined herein have the meaning given in the Agreement.
1. Definitions
1.1 In this Canadian DPA, the following terms have the following meanings:
- (a) “Affiliate” means any entity that directly or indirectly is controlled by or is under common control with a party, where “control” means either (i) direct or indirect ownership or control of greater than 50% of the voting securities of such entity, or (ii) the ability to control the activities of the entity through contractual rights.
- (b) “Canadian Data Protection Laws” means, as applicable to a party: (i) with respect to Clever or private educational institutions, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5, the Personal Information Protection Act, SBC 2003, c 63, the Personal Information Protection Act, SA 2003, c P-6.5 and the Act respecting the protection of personal information in the private sector, CQLR c P-39.1, each as amended from time to time and the regulations made pursuant thereto and (ii) the Freedom of Information and Protection of Privacy Act, RSO 1990, c F.31, Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25, Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR c A-2.1, and other similar provincial or territorial acts, each as amended from time to time and the regulations made pursuant thereto.
- (c) “Data Subject” means the individual about whom the Personal Information relates.
- (d) “Personal Information” means any information relating to an identified or identifiable natural person.
- (e) “Personal Information Breach” means any unauthorised or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to School Personal Information. A “Personal Information Breach” does not include unsuccessful attempts or activities that do not compromise the security of School Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- (f) “Privacy Commissioner” means the applicable governmental authority with jurisdiction to enforce Canadian Data Protection Laws.
- (g) “process” and its cognates “processing”, “processes” and “processed” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- (g) “School Personal Information” means any Personal Information, including Student Data, that is protected by Canadian Data Protection Laws and which Clever processes on your behalf as part of the Services, as more particularly described in Schedule 1.
- (i)“Sub-processor” means any third party engaged by Clever to process School Personal Information. A “Sub-processor” may include a Clever Subsidiary but does not include Clever employees, contractors or consultants.
2. Role and Scope of Processing
2.1 Scope. This Canadian DPA applies to the processing of School Personal Information on behalf of the School as part of the Services. This Canadian DPA does not apply to Personal Information that Clever collects and uses for its own purposes (such as for School account creation and billing) or Personal Information that you may process via third-party websites or services (including but not limited to applications made available by Developers). Personal Information that Clever collects and uses for its own purposes is governed by the Clever Privacy Policy currently located at https://clever.com/trust/privacy/policy.
2.2 Details of Processing. The subject matter, nature, purpose, and duration of the Processing, as well as the types of School Personal Information processed and categories of Data Subjects, are described in Schedule 1 to this Canadian DPA.
2.3 Processing Relationship. You acknowledge that with regard to the processing of School Personal Information, you are the accountable entity to the Data Subject and Clever is your processor under Canadian Data Protection Laws. As between you and Clever, you own all School Personal Information and Clever’s rights in such School Personal Information are limited to processing the School Personal Information in accordance with this Canadian DPA and the Agreement. You acknowledge that Clever may disclose this Canadian DPA and any relevant privacy provisions in the Agreement to a Privacy Commissioner, or any other judicial or regulatory body upon their request.
2.4 School Responsibilities. You will, in your use of the Services: (a) be responsible for determining whether the Services are appropriate for the processing and storage of School Personal Information under Canadian Data Protection Laws; (b) comply with your obligations as the accountable entity under Canadian Data Protection Laws and ensure that your instructions to Clever are lawful and comply with Canadian Data Protection Laws; and (c) have sole responsibility for the accuracy, quality, and legality of School Personal Information and the means by which you acquired School Personal Information.
2.5 Notice and Consent. You represent and warrant that you have obtained all consents, permissions and rights necessary for Clever, and its Affiliates and Sub-processors, to lawfully process School Personal Information for the purposes contemplated by the Agreement, and (where necessary) that you have the authority to provide consent on behalf of parents.
3. Processing of School Personal Information
3.1 Processing Instructions. Clever will process School Personal Information only in accordance with your lawful documented instructions and will not process School Personal Information for its own purposes, except where required by applicable laws. The Agreement, including this Canadian DPA, along with your configuration of any settings or options in the Services, constitute your complete and final instructions to Clever regarding the processing of School Personal Information. Clever shall promptly notify you if it determines that your instructions infringe Canadian Data Protection Laws, but without obligation for Clever to actively monitor your compliance with Canadian Data Protection Laws.
3.2 Confidentiality of processing. Clever will ensure that any person it authorizes to process School Personal Information is subject to an appropriate duty of confidentiality (whether a contractual or statutory duty) and that they process School Personal Information only as necessary for the purpose of delivering the Services.
3.3 Security. Clever will implement and maintain reasonable and appropriate technical and organisational security measures with the aim of protecting School Personal Information from Personal Information Breaches. At a minimum, such measures will include the measures set out in Schedule 2 (“Security Measures“). You acknowledge that the Security Measures are subject to technical progress and development and that Clever may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.
3.4 Personal Information Breaches. In the event of a Personal Information Breach, Clever will inform you without undue delay and provide you with written details of the Personal Information Breach, including the type of data affected and the identity of affected Data Subjects, once such information becomes known or available to Clever. Clever will, to the extent possible, provide you with timely information and cooperation to enable you to fulfil your data breach reporting obligations under Canadian Data Protection Laws (if any) and will take reasonable steps to remedy or mitigate the effects of the Personal Information Breach.
3.5 Inspection Rights. Upon request, Clever will provide copies of any certifications, audit report summaries and/or other relevant documentation it possesses, where reasonably required by you to verify Clever’s compliance with this Canadian DPA. While it is the parties’ intention ordinarily to rely on such certifications, audit report summaries and/or other documentation to verify Clever’s compliance with this Canadian DPA, following a confirmed Personal Information Breach or where a Privacy Commissioner requires it, you may provide Clever with thirty (30) days’ prior written notice requesting that a third-party conduct an inspection of Clever’s operations and facilities (“Inspection“) provided that (i) any Inspection will be conducted at your expense, (ii) the parties shall mutually agree upon the scope, timing and duration of the Inspection, (iii) the Inspection shall not unreasonably impact Clever’s regular operations, (iv) you will not have access to any files or systems that could result in the exposure of confidential information of other customers of Clever, and (v) the Inspection will be restricted to operations and facilities under Clever’s control. Any certifications, audit report summaries and/or other relevant documentation provided by Clever, and the findings of any Inspection, will be subject to the confidentiality provisions of the Agreement.
3.6 Sub-processors. You grant Clever a general authorization to engage Sub-processors, including those Sub-processors listed here (or such other successor URL) (“Sub-processor List“) and Clever will:
- (a) notify you in the event of the engagement of any new or replacement Sub-processor, including updating the Sub-processor List;
- (b) impose data protection terms on any Sub-processor it engages that, having regard to the duties of such Sub-processor, will be sufficient for Clever to meet is obligations under this Canadian DPA as though Clever were performing the duties of such Sub-processor; and
- (c) remain liable for any breach of this Canadian DPA caused by an act, error or omission of its Sub-processors.
3.7 Objection to Sub-processors. You may object to Clever’s appointment of any new or replacement Sub-processor in writing within ten (10) days after receiving notice in accordance with Section 3.6 and on reasonable grounds related to the Sub-processor’s ability to ensure compliance with this Canadian DPA. In such case, we will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If we cannot reach such resolution, Clever will have the right, at its sole discretion, to either not appoint the disputed Sub-processor or allow you to suspend or terminate the Agreement. In the event you terminate the Agreement, Clever will refund to you a pro rata share of any prepaid fees for the remaining and unexpired portion of the Services. This will be your exclusive remedy and Clever’s entire liability for resolving objections to Clever’s appointment of Sub-processors under this Canadian DPA.
3.8 Demands. If Clever receives a valid and binding subpoena, warrant, order or other demand (each a “Demand”) from any governmental body (“Requesting Party”) for disclosure of School Personal Information, Clever will use all reasonable efforts to redirect the Requesting Party to request School Personal Information directly from you. If Clever is compelled to disclose School Personal Information to a Requesting Party, Clever will promptly notify you of the Demand to allow you to seek a protective order or other appropriate remedy, if you are legally permitted to do so. If Clever is prohibited from notifying you about the Demand, Clever will use reasonable and lawful efforts to obtain a waiver of prohibition to allow Clever to communicate as much information to you as soon as possible. If Clever is prohibited from notifying you, Clever will challenge any overbroad or inappropriate Demand (including where such Demand conflicts with Canadian Data Protection Laws). Further, Clever will disclose only the minimum amount of School Personal Information necessary to satisfy the Demand.
3.9 Cooperation and Data Subject Requests. Clever will reasonably cooperate to enable you to respond to any requests, complaints or other communications from Data Subjects, Privacy Commissioners or other regulatory or judicial bodies relating to the processing of School Personal Information by Clever, including requests from Data Subjects seeking to exercise their rights under Canadian Data Protection Laws. In the event that any such request, complaint or communication is made directly to Clever, Clever will pass on the request to you as soon as feasible and will not respond directly without your express authorization (unless required to do so in order to comply with applicable law(s)).
3.10 Data Protection Impact Assessments. To the extent required under Canadian Data Protection Laws, Clever will provide you with reasonable assistance (at your cost) with conducting data protection impact assessments and your consultation with Privacy Commissioners (if any).
3.11 Deletion. Upon termination or expiry of the Agreement, and at your election, Clever will delete or return all School Personal Information in Clever’s possession in accordance with the Agreement and Clever’s then-current data deletion timelines and policies. This requirement will not apply to the extent that Clever is required by applicable law(s) to retain some or all of the School Personal Information or to School Personal Information archived on back-up systems, in which event Clever shall isolate and protect such School Personal Information from any further processing except to the extent required by such law. Clever will provide a certification of deletion upon your written request. For the purpose of this section, “delete” means to render the School Personal Information permanently incapable of reconstruction.
4. International Transfers
4.1 Processing Location. You agree that Clever may transfer and process School Personal Information in the United States and any other country in which Clever, Clever Subsidiaries and Sub-processors maintain processing facilities. Clever will not transfer or process School Personal Information (nor permit such data to be transferred or processed) outside Canada unless it first takes such measures as are necessary to ensure the transfer is in compliance with applicable Canadian Data Protection Laws and this Canadian DPA. Clever will provide you with a list of countries to which Clever may transfer and process School Personal Information upon request.
Schedule 1 – Details of the Processing
This Schedule describes the processing of Personal Information by the parties in connection with the Services and forms an integral part of the Agreement. Capitalised terms not defined herein have the meaning given in the Agreement.
Categories of data subjects | School admins, staff and teachers who access the Services on behalf of the SchoolStudents who use the ServicesParents or guardians that create an account on Clever |
Categories of Personal Information | Account information (name, email address, phone number, title, username, password)School record information (ID, name, email address, title, username)Student Data (Student ID, address, birthdate, gender, grade level, graduation year, English language learner, race or ethnicity, username, contact information, parent name and contact information)Clever messaging communications (content and metadata)Analytics data (App ID, usage data, aggregate and anonymous data) |
Sensitive data (if applicable) | The sensitive data that may be processed through the Services is determined and controlled by the School in its sole discretion and may include Student Data revealing racial or ethnic origin. See Schedule 2 for applied restrictions and safeguards for sensitive data. |
Frequency of the transfer and processing | Continuous (depending on the School’s use of the Services). |
Nature of the processing | Collection, storage, organisation, modification, retrieval, disclosure, communication and other uses in performance of the Services as set out in the Agreement. |
Purpose(s) of the data transfer and processing | Processing activities in performance of the Services as set out in the Agreement. |
The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period | Personal Information will be retained in accordance with Section 3.11 of this Canadian DPA. |
Subject matter, nature and duration of processing | As above. |
Schedule 2: Security Measures
Clever’s technical and organisational security measures designed to protect School Personal Information can be found at https://clever.com/trust/security/practices