H5P.com Data Protection Agreement
- H5P Group, a company incorporated in Norway (registration number 912 282 910) having its registered office at Strandgata 9, 9008 Tromsø (the "Provider"); and
- The Customer agreeing to these terms (the "Customer").
The Provider and the Customer are collectively called the Parties
Except to the extent expressly provided otherwise, in this Agreement:
"Customer Personal Data" means any Personal Data that is processed by the Provider on behalf of the Customer in relation to this Data Protection Agreement;
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Customer Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679);
"Effective Date" means the data from which the Customer is allowed to use H5P.com;
"Personal Data" has the meaning given to it in the General Data Protection Regulation (Regulation (EU) 2016/679);
"Schedule" means any schedule attached to the main body of this Agreement;
"Term" means the Term as defined in the main agreement between the Customer and the Provider;
- The Provider shall comply with the Data Protection Laws with respect to the processing of the Customer Personal Data.
- The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with this Agreement.
- The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to this Agreement, the Personal Data of data subjects falling within the categories specified in Part 1 of Schedule 1 (Data processing information) and of the types specified in Part 2 of Schedule 1 (Data processing information); and the Provider shall only process the Customer Personal Data for the purposes specified in Part 3 of Schedule 1 (Data processing information).
- The Provider shall only process the Customer Personal Data during the Term and for not more than 30 days following the end of the Term, subject to the other provisions of this Data Protection Agreement.
- The Provider shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to any place outside the European Economic Area), as set out in this Data Protection Agreement or any other document agreed by the parties in writing.
- Notwithstanding any other provision of this Agreement, the Provider may process the Customer Personal Data if and to the extent that the Provider is required to do so by applicable law. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- The Provider shall ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- The Provider and the Customer shall each implement appropriate technical and organizational measures to ensure an appropriate level of security for the Customer Personal Data, including those measures specified in Part 4 of Schedule 1 (Data processing information).
- The Provider must not engage any third party to process the Customer Personal Data without the prior specific or general written authorization of the Customer. The Provider is hereby authorized by the Customer, as at the Effective Date, to engage those third parties identified in, or falling within the processor categories specified in, Part 5 of Schedule 1 (Data processing information) to process the Customer Personal Data. In the case of a general written authorization, the Provider shall inform the Customer at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then the Provider must not implement the changes or the Customer may terminate this Agreement on 7 days' written notice to the Provider, providing that such notice must be given within the period of 7 days following the date that the Provider informed the Customer of the intended changes. The Provider shall ensure that each third party processor is subject to equivalent legal obligations as those imposed on the Provider by this Data Protection Agreement
- The Provider shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organizational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.
- The Provider shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws.
- The Provider shall make available to the Customer all information necessary to demonstrate the compliance of the Provider with its obligations under this Data Protection Agreement and the Data Protection Laws.
- The Provider shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
- The Provider shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of the Provider's processing of Customer Personal Data with the Data Protection Laws and this Data Protection Agreement. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Data Protection Agreement.
- If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavors promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.
- This Data Processing Agreement does not apply to documents, texts, videos or audios provided by the Customer to be enhanced with AI functionality (including Smart Import). The Provider encourages the Customer to not include Personal Information in such data, and the terms of the Data Processing Agreement will not apply even if such data contains personal information.
Schedule 1 (Data processing information)
- Categories of data subject
- Administrators – Employees or others trusted by the Customer to have full access to the system.
- Super users – Employees or others trusted by the Customer to have almost full access to the system
- Authors – Employees or others trusted by the Customer to have access to create and edit content as well as access to data about how other users have interacted with the content.
- Learners – people trusted by the Customer to have access to the Customer’s content and to interact with the content in a way that may be logged through LTI, through the built in Learning Record Store in H5P.com if the Customer has enabled it or through APIs or other integrations.
- Anonymous learners – in the case of public content user’s who are not logged in may access this content and interact with it in a way that might be logged anonymously.
- Types of Personal Data
- Each data subject has a profile containing her first name, last name, e-mail address and preferred language.
- What content the data subject creates, updates or deletes and when
- If enabled by the Customer, the system logs all the data subject’s interactions with the H5P content in the integrated Learning Record Store (LRS)
- All pages visited by the data subject, when, from which location, from which system and from which IP address using Google Analytics(if Google Analytics isn’t disabled by the Customer) and other access logs. The other access logs can’t be disabled by the customer.
- Purposes of processing
- The user profile is used to provide the data subject with access to the system, personalize their experience and make it clear for other users who has done what (who has created content, who has answered questions in content and more)
- The system logs who creates content for many reasons including copyright and access control.
- The Learning Record Store is provided in order to allow the Customer to get better insight into how the content created by the Customer is used, and in the case of the content being learning content also to allow the Customer to analyze the learning process of the content’s target audience.
- If not disabled Google Analytics is used to give the Provider an understanding of how the system is used enabling the Provider to make informed decisions on how to improve the system. Other access logs are used for debugging, security and similar reasons.
- No data is processed in order to provide advertisements or in any other way profit from the data subjects use of the system except from the Charges specified in section 3 of schedule 1.
- Security measures for Personal Data
The provider use all reasonable endeavors to make sure that industry best practices are utilized to keep the Personal Data safe. This includes choosing leading hosting providers with proper practices and certifications (See AWS security for more information about our host provider’s security measures), efficient systems for keeping all software up to date, third party penetration testing, coding safeguards, encryption both in transit and at rest, compartmentalization, the least privilege principal, strong authentication of admin users and between components and security measures related to the security of the devices and personnel who have administrative access to the entire application and infrastructure.
- Sub-processors of Personal Data
If not disabled, Google Analytics have access to Personal Data. In addition, Amazon Web Services, the provider of the infrastructure, have access to Personal Data. Also, when using LTI the LTI consumer will have access to the learner’s scores when answering H5P content that includes scoring.