Appendix to the Agreement for Open edX hosting Data Processing Agreement

by and between

the contracting body,  as identified on the Agreement

– hereinafter, “Customer”–,

and OpenCraft GmbH, Jerusalemer Str. 14, 10117 Berlin

– hereinafter, “OpenCraft”–,

on the processing of personal data on behalf of a controller in accordance with Article 28 (3) of the EU General Data Protection Regulation (GDPR).

Preamble

This Data Processing Agreement (“DPA”) details the parties’ obligations on the protection of personal data, associated with the processing of personal data on behalf of the Customer as a data controller, and described in detail in the Agreement for Open edX hosting (hereinafter, the “Agreement”). Its provisions shall apply to any and all activities associated with the Agreement, in whose scope OpenCraft’s employees or agents may process Customer’s personal data (hereinafter, “Data”) on behalf of Customer as a controller (hereinafter, “Data Processing”).

1. Scope, duration and specification of the Data Processing

1.1 The scope and duration and the detailed stipulations on the type and purpose of Data Processing shall be governed by the Agreement.

1.2 Specifically, the Data Processing shall include, but not be limited to, the following Data:

Type of data

Type and purpose (Subject matter) of the Data Processing

Categories of data subject affected

  • Name,
  • position, 
  • email address, 
  • language, 
  • courses, 
  • content, 
  • comments and other discussion items, 
  • grades changes,
  • other personal data submitted by the data subject through the Open edX platform
  • data collected while the data subject uses the platform such as pages visited, IP used, time of visit, changes made to courses, etc. 

Provide platform and its functions to the data subject.


Providing support to the Customer, such as bug fixing.


Providing other services to the Customer, such as analytics or backups.

Teachers, managers or other faculty staff registered on the platform.

  • Name, 
  • position, 
  • email address, 
  • language, 
  • courses, tests and test contents, 
  • comments and other discussion items, 
  • wiki pages edited,
  • any other personal data submitted by the data subject through the Open edX platform
  • data collected while the data subject uses the platform such as pages visited, IP used, time of visit, changes made to courses, etc. 

Provide platform and its functions to the data subject 


Providing support to the Customer, such as bug fixing.


Providing other services to the Customer, such as analytics or backups.

Students

1.3 Except where this DPA stipulates obligations beyond the term of the Agreement, the term of this DPA shall be the term of the Agreement.

2. Scope of application and responsibilities

2.1 OpenCraft shall process Data on behalf of Customer. Such Data Processing shall include all activities detailed in the Agreement. Within the scope of this DPA, Customer shall be solely responsible for compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Data to OpenCraft and the lawfulness of having Data processed on behalf of Customer. Customer shall be the »controller« in accordance with Article 4 no. 7 of the GDPR.

2.2 Customer’s individual instructions on Data Processing shall, initially, be as detailed in the Agreement. Customer shall, subsequently, be entitled to, in writing or in a machine-readable format (e.g. via email), modify, amend or replace such individual instructions by issuing such instructions to the point of contact designated by OpenCraft. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes to the Agreement. Customer shall, without undue delay, confirm in writing or by email any oral instruction given.

3. OpenCraft’s obligations

3.1 Except where expressly permitted by Article 28 (3)(a) of the GDPR, OpenCraft shall process data subjects’ Data only within the scope of the Agreement and the instructions issued by Customer. Where OpenCraft believes that an instruction would be in breach of applicable law, OpenCraft shall notify Customer of such belief without undue delay. OpenCraft shall be entitled to suspending performance on such instruction until Customer confirms or modifies such instruction.

3.2 OpenCraft shall, within OpenCraft’s scope of responsibility, organize OpenCraft’s internal organization so it satisfies the specific requirements of data protection. OpenCraft shall, in particular, implement technical and organizational measures to ensure the adequate protection of Customer’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. 

3.3 OpenCraft shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. The technical and organizational measures implemented by OpenCraft at the time of entering into this DPA are set forth in Annex 1 to this DPA. It shall be Customer’s responsibility that such measures ensure a level of security appropriate to the risk. OpenCraft reserves the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not be less protective than initially agreed upon as per OpenCraft’s Security Policy. OpenCraft’s Security Policy can be accessed via its public OpenCraft handbook, available under the address: https://opencraft.com/doc/handbook/security_policy/. It is Customer’s responsibility to inform himself on whether the technical and organizational measures have been updated.

3.4 OpenCraft shall support Customer, insofar as is agreed upon by the parties, and where reasonably possible for OpenCraft, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR.

3.5 OpenCraft warrants that all employees involved in Data Processing of Customer’s Data and other such persons as may be involved in Data Processing within OpenCraft’s scope of responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, OpenCraft warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Data Processing.

3.6 OpenCraft shall notify Customer, without undue delay, if OpenCraft becomes aware of breaches of the protection of personal data within OpenCraft’s scope of responsibility. OpenCraft shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; OpenCraft shall coordinate such efforts with Customer without undue delay.

3.7 OpenCraft’s point of contact for any issues related to data protection arising out of or in connection with the Agreement is Xavier Antoviaque <privacy@opencraft.com>.

3.8 OpenCraft warrants that OpenCraft fulfils its obligations under Article 32 (1)(d) of the GDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

3.9 OpenCraft shall correct or erase Data if so instructed by Customer and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements or a corresponding restriction of processing is impossible, OpenCraft shall, based on Customer’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Customer. In specific cases designated by Customer, such Data shall be stored or handed over. The associated remuneration and protective measures shall be agreed upon separately, unless already agreed upon in the Agreement. 

3.10 OpenCraft shall, upon termination of Data Processing and/or upon Customer’s instruction, return all Data, carrier media and other materials to Customer or delete the same. In case of testing and discarded material no instruction shall be required.

Customer shall bear any extra cost caused by deviating requirements in returning or deleting data.

3.11 Where a data subject asserts any claims against Customer in accordance with Article 82 of the GDPR, OpenCraft shall support Customer in defending against such claims, where possible, against a reasonable compensation.

4. Customer’s obligations

4.1 Customer shall notify OpenCraft, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Customer in the results of OpenCraft’s work. 

4.2 Section 3.10 of this DPA shall apply, mutatis mutandis, to claims asserted by data subjects against OpenCraft in accordance with Article 82 of the GDPR.

4.3 Customer shall notify to OpenCraft the point of contact for any issues related to data protection arising out of or in connection with the Agreement.

5. Enquiries by data subjects

Where a data subject asserts claims for rectification, erasure or access against OpenCraft, and where OpenCraft is able to correlate the data subject to Customer, based on the information provided by the data subject, OpenCraft shall refer such data subject to Customer. OpenCraft shall forward the data subject’s claim to Customer without undue delay. OpenCraft shall support Customer, where possible, and based upon Customer’s instructions. OpenCraft shall not be liable in cases where Customer fails to respond to the data subject’s request, or fails to do so correctly and/or in a timely manner.

6. Options for documentation

6.1 OpenCraft shall document and prove to Customer OpenCraft’s compliance with the obligations agreed upon in this DPA by appropriate measures.

6.2 Where, in individual cases, audits and inspections by Customer or an auditor appointed by Customer are necessary, such audits and inspections will be conducted during regular business hours, and without interfering with OpenCraft’s operations, upon prior notice, and observing an appropriate notice period. OpenCraft may also determine that such audits and inspections are subject to prior notice, the observation of an appropriate notice period, and the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented. OpenCraft shall be entitled to reject auditors that are competitors of OpenCraft.

Customer hereby consents to the appointment of a competent, independent external auditor by OpenCraft if OpenCraft so choses, provided that OpenCraft provides a copy of the audit report to Customer.

OpenCraft shall be entitled to request a remuneration for OpenCraft’s support in conducting inspections where such remuneration has been agreed upon in the Agreement. OpenCraft’s time and effort for such inspections shall be limited to one day per calendar year, unless agreed upon otherwise.

6.3 Where a data protection supervisory authority or another supervisory authority with statutory competence for Customer conducts an inspection, Section 6.2 of this DPA above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations the breach of which is sanctionable under the applicable criminal code.

7. Sub-Processors (further processors on behalf of Customer)

7.1 Customer hereby consents to OpenCraft’s use of sub-processors. OpenCraft shall, prior to the use or replacement of sub-processors, inform Customer thereof. The approved sub-processors are listed in Annex 2 to this DPA.

7.2 OpenCraft shall conclude with such sub-processors the contractual instruments necessary to ensure an appropriate level of data protection and information security in accordance with Article 28 (4) GDPR. Where OpenCraft commissions sub-processors, OpenCraft shall be responsible for ensuring that OpenCraft’s obligations on data protection resulting from the Agreement and this DPA are also valid and binding upon sub-processors.

8. Obligations to inform, mandatory written form, choice of law

8.1 Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in OpenCraft’s control, OpenCraft shall notify Customer of such action without undue delay. OpenCraft shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Customer’s sole property and area of responsibility, that data is at Customer’s sole disposition, and that Customer is the responsible body in the sense of the GDPR.

8.2 No modification of this DPA and/or any of its components – including, but not limited to, OpenCraft’s representations and warranties, if any – shall be valid and binding unless made in writing or in a machine-readable format (in text form), and furthermore only if such modification expressly states that such modification applies to the regulations of this DPA. The foregoing shall also apply to any waiver or modification of this mandatory written form.

8.3 In case of any conflict, the data protection regulations of this DPA shall take precedence over the provisions of the Agreement. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

8.4 This DPA is subject to the laws of Germany.

9. Liability and damages

The provisions on the parties’ liability contained in the Agreement shall be valid also for the purposes of Data Processing, unless expressly agreed upon otherwise.



Annex 1 – Technical and Organizational Measures

OpenCraft’s most recent technical and organizational measures can be accessed via its OpenCraft handbook, available under the address: https://opencraft.com/doc/handbook/security_policy



Annex 2 – Approved List of OpenCraft Sub-Processors

Amazon

We make use of Amazon Web Services to store client’s instance data.

Amazon’s DPA is part of the Service Agreement.

Gandi.net

Gandi.net is our DNS provider and we do not store PII on Gandi.net

Google

Google provides workspace applications that might be used to store PII. Information on signing the DPA can be found here.

Freshbooks

Freshbooks provides accounting software as a service and stores our customers information. Freshbook’s DPA (https://www.freshbooks.com/wp-content/uploads/FreshBooks-Data-Processing-Agreement_2021.pdf) is part of the Service Agreement.

OVH

We make use of OVH cloud services to rent computing resources to store databases where client data is processed. Here is their DPA.

New Relic

New Relic provides performance monitoring services on our hosted systems. We do not store PII on New Relic.

Tarsnap

We currently store backups of all our systems and client data on Tarsnap. Here is their DPA.