Data Protection Addendum

This Data Protection Addendum is between Framework Computing Consultants T/A Digitary Digitary (referred to herein as “Digitary” or “Service Provider”) and the Digitary Member identified on the Order Form for the purchase of certain Digitary Services between the parties hereto (the “Agreement”), to which this Addendum is incorporated (referred to herein as the “Data Controller” or “Member”) and is effective as of the order from date (the “DPA”). The terms of this DPA are hereby incorporated by reference into the terms of the Agreement (defined below).

This DPA shall apply and govern the processing of Personal Data solely to the extent that: 1) Digitary is a data processor or service provider under the terms of applicable data protection law (as defined below); 2) Data Controller is subject to the applicable data protection law; and 3) Digitary performs processing of Personal Data under the Agreement.


1. Definitions. The following terms in this DPA shall have the following meanings:

    1. “applicable data protection law”  means all applicable laws, regulations, and other legal requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any amendments thereto (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Data Protection Act; and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”).  
    2. “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this DPA, provided that this DPA applies to only to personal information that Service Provider receives or accesses in connection with providing the Services to Member and shall not apply to personal information that Service Provider processes independent of the Services Agreement.
    3. “data controller” refers to the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data, and for purposes of this DPA is identified above as the Data Controller;
    4. “data processor” refers to the natural or legal person which, alone or jointly with others, processes personal data on behalf of the data controller, and for the purposes of this DPA is Digitary;
    5. “data subject” shall have the meaning given to it in the applicable data protection laws;
    6. “technical and organizational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
    7. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms have the same meaning as defined in applicable data protection law.
    8. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to Personal Data.
    9. “processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    10. “sub-processor” means any data processor affiliate or subcontractor engaged by Digitary for the processing of Personal Data.
    11. “EU Standard Contractual Clauses” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at and completed as described in the “Data Transfers” section below.
    12. “UK Standard Contractual Clauses” means the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at, completed as set forth in “Data Transfers” below.


2. Nature and Purpose of the Processing. The processing is being conducted solely for the purpose set forth in the Agreement for the applicable Digitary services detailed in the Agreement (the “Services”) and for the term of the Agreement, which may include fulfilling requests for transcripts and other credential-types and admissions-related documents, including the processing of orders to have a specific document or record sent from a record holder to a record recipient. Digitary has no obligation to monitor the compliance of Member’s use of the Services with applicable data protection law. The terms and conditions of the Agreement, including this DPA, along with Member’s configuration of any settings or options in the Services constitute Member’s complete and final instructions to Digitary regarding the processing of Personal Data, including for purposes of the Standard Contractual Clauses. Without limiting the foregoing:

    1. Digitary will not process the Personal Data in a manner inconsistent with Digitary’s role as Member’s “Service Provider”. 
    2. Digitary will not “sell” or “share” the Personal Data in a manner inconsistent with Digitary’s role as Member’s “Service Provider”. 


3. Data Controllers. Data Controller provides a limited amount of its client and/or student user data to Digitary. The parties agree that all processing of Personal Data by Digitary and/or any sub-processor will be performed only pursuant to the instructions from Data Controller as set forth in the Agreement. Digitary understands and agrees that the Data Controller has the rights and obligations as set forth in the applicable clauses of the applicable data protection law.  Digitary shall promptly inform the Data Controller if, in Digitary’s opinion, an instruction from the Data Controller regarding Personal Data infringes applicable data protection law. Additionally, Digitary shall promptly notify the Data Controller if Digitary determines that it can no longer meet its obligations under applicable data protection law.


4. Obligations of Digitary. Digitary, to the extent it is a data processor under the terms of this DPA and applicable data protection law, agrees:

    1. to process Personal Data only under the authority of and on behalf of the written instructions of Data Controller, including as set forth in the Agreement, unless required by law to act without or against such instructions, in such case Digitary shall inform the Data Controller immediately of such legal requirements unless Digitary is legally prohibited from doing so;
    2. to ensure that any persons authorized to process Personal Data have confidentiality obligations or are under appropriate fiduciary obligations of confidentiality;
    3. that it has implemented and maintains commercially appropriate technical and organisational security measures appropriate for the nature, scope and type of processing being performed in compliance with the applicable data protection law, and that it has reviewed the technical and organisational security measures of sub-processors (if any);
    4. to notify the Data Controller within 48 hours of confirmed knowledge by Digitary of any Personal Data Breach;
    5. to the extent Data Controller, in its use of the Services, does not have the ability to address a request regarding Personal Data directly, to provide reasonable assistance to Data Controller to allow it to respond to any request by an data subject seeking to exercise any of his or her rights under applicable data protection law (including rights of access, correction, objection, and erasure, as applicable);
    6. to provide reasonable assistance to Data Controller in complying with any legally binding requests related to Personal Data by a law enforcement authority unless otherwise prohibited, including in responding to a Personal Data Breach and complying with any applicable data breach notification laws in connection with a Personal Data Breach and to assist Data Controller with data protection impact assessments and consultations, when and if required;
    7. With undue delay after discovering a Personal Data Breach has occurred, inform the Data Controller of the Personal Data Breach and, to the extent available of:
      1. The nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;
      2. The likely consequences of the Personal Data Breach; and
      3. Measures taken or proposed to be taken by Digitary to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; 
    8. to abide by and cooperate with the requests of the supervisory authority with regard to the processing of Personal Data;
    9. to submit its data processing activities for audit by the Data Controller as required to reasonably demonstrate compliance with its obligations under applicable data protection law no more than once annually, provided that Data Controller or any third-party representative is bound by obligations of confidentiality for such audit information.  For clarity, such audits or inspections are limited to Digitary’s processing of Personal Data subject to the applicable data protection law on behalf of Data Controller only, not any other aspect of Digitary’s business or information systems or other members. Data Controller shall provide Digitary with sixty (60) days prior written notice to an audit, shall conduct an audit in a manner that will result in minimal disruption to Digitary’s business operations, and shall not be entitled to receive data or information of other members or any other confidential information that is not directly relevant for the authorized purposes of the audit. This provision does not grant Data Controller any right to conduct an on-site audit of Digitary’s premises. Data Controller shall reimburse Digitary for any reasonable time expended for an audit at the Digitary’s then-current rates, which shall be made available to Data Controller upon request.; and
    10. upon completion of the Services and request by the Data Controller, to destroy or return all Personal Data processed on behalf of Data Controller, using industry standard methods for data destruction appropriate to the type of Personal Data provided, except to the extent that applicable legal requirements require storage of the Personal Data, in which case Digitary will (a) to the extent legally permitted, inform Data Controller of the legal requirement and of the particular Personal Data records that Digitary intends to retain, (b) not Process the Personal Data for any purpose other than compliance with the legal requirement, and (c) securely destroy such Personal Data as soon as practicable.  


5. Sub-processors. Data Controller acknowledges and agrees that Digitary may engage sub-processors for the processing of Personal Data in compliance with applicable law to provide the Services.  Digitary’s current list of sub-processors is available at Schedule A.  Data Controller hereby approves of such sub-processors.  Digitary will impose contractual obligations on any sub-processors that are substantially the same as the data protection obligations set forth in this DPA and will remain liable to the Data Controller for sub-processors performance of such data protection obligations.  Ten (10) days prior to a new sub-processor’s proposed Processing of Personal Data, Digitary will notify the Data Controller of the identity of the proposed sub-processor.  If the Data Controller provides Digitary reasonable objection to a sub-processor due to a reasonable belief that the sub-processor cannot provide the level of protection required under this DPA, the parties will work in good faith to find an appropriate solution, which may include (i) Digitary providing the Data Controller with records or information that provide reasonable assurance that the sub-processor will provide such level of protection or (ii) providing available alternatives to change the services or receive the services from an alternate sub-processor.  


6. Obligations of the Data Controller. The Data Controller agrees and represents and warrants to Digitary the following:

    1. that it has obtained all necessary rights and consents under applicable data protection law as required for Digitary to perform the Services under the Agreement or otherwise process any Personal Data as contemplated in this DPA
    2. The Data Controller will not instruct Digitary to process Personal Data in violation of applicable law. In the event of a change in the legislation is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, Data Controller will promptly notify Digitary of such change, in which case Digitary is entitled to suspend the processing of the relevant sub-processors; and
    3. to implement and maintain data protection policies that are compliant with the applicable data protection law.


7. Data Transfers To the extent that the Services involve a transfer of Personal Data from Data Controller in the United Kingdom, EEA or Switzerland to Digitary systems or personnel processing data outside such jurisdiction,  the Parties agree:

    1. With respect to Personal Data transferred from the EEA and Switzerland, the EU Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows:
      1. Data Controllers acts as a controller and Digitary acts as Processor with respect to the Personal Data subject to the EU Standard Contractual Clauses, and its Module 2 applies.
      2. Clause 7 (the optional docking clause) is included.
      3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth as indicated in Schedule A of this DPA and Digitary shall update that list and provide notice to the Data Controller at least ten (10) days in advance of any intended additions or replacements of sub-processors.
      4. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
      5. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The parties select the laws of Ireland.
      6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
      7. Annexes I and II of the EU Standard Contractual Clauses are set forth in Schedule B and C of the DPA. 
      8. Annex III of the EU Standard Contractual Clauses (List of sub-processors) is set forth in Schedule A.
      9. By entering into this DPA, the Parties are deemed to be signing the EU SCCs and its applicable Tables and Appendix Information
    2. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
      1. Table 1 of the UK SCCs: 
        1. The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in the Agreement.  
        2. The Key Contact shall be the contacts set forth in the Agreement.
      2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
      3. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Agreement and Schedule B.
      4. Table 4 of the UK SCCs: Digitary may end this DPA as set out in Section 19 of the UK SCCs.
      5. By entering into this DPA, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.


8. Liability

    1. The parties agree that nothing herein in this DPA or the Agreement relieves the Member of its respective responsibilities and liabilities under applicable data protection law.
    2. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
    3. Member acknowledges that Digitary is reliant on Member for direction as to the extent to which Digitary is entitled to process Personal Data on behalf of Member in performance of the Services. Consequently, Digitary will not be liable under the Agreement for any claim brought by a data subject arising from any action or omission by Digitary, to the extent that such action or omission resulted from Member’s instructions or from Member’s failure to comply with its obligations under applicable data protection law. The parties agree that the liability of Digitary shall be limited to its own processing operations under this DPA and the Agreement. The parties agree that Digitary will not be liable for any damages arising out of or related to violations of applicable data protection law by the Data Controller related to Data Controller’s acts or omissions not related to the Services.


9. Ratification. All other terms and conditions in the Agreement are ratified and remain in full force and effect. This DPA is an addendum to the Agreement and shall control and prevail to the extent of any conflict with the Agreement.


Schedule A


To support delivery of our Services, Digitary may engage and use data processors with access to certain Customer Data (each, a “Subprocessor”). This page provides important information about the identity, location and role of each Subprocessor. 

Digitary’s list of sub processors will be published at


Schedule B


MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred: 

    • End users of Data Controller such as students

Categories of personal data transferred: 

    • contact information, transcript data, credential data, enrollment verification, attendance records and other educational or identity information

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): 

    • On a continuous basis for as long as Data Controller is engaging Digitary to provide the Services.

Nature of the processing: 

    • The nature of the Processing is as forth in the Agreement and any relevant order forms.

Purpose(s) of the data transfer and further processing: 

    • The purposes for the data transfer are to facilitate Digitary’s provision of Services pursuant to the Agreement and any relevant order forms.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:  

    • The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: 

    • Transfers to sub-processors are for the same purposes as transfers to the processor.


Schedule C

Security Requirements

The Parties will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Parties’ Information Security Program includes specific security requirements for its personnel and all subprocessors or agents who have access to Personal Data (“Data Personnel”). The security program covers the following areas:

    1. Information Security Policies and Standards. The Parties will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. 
    2. Physical Security. The Parties will maintain commercially reasonable security systems at all Party sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
    3. Organizational Security. The Parties will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
    4. Network Security. The Parties maintains commercially reasonable information security policies and procedures addressing network security.
    5. Access Control.  The Parties agree that: (1) only authorized staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) the Parties will implement commercially reasonable physical and technical safeguards to create and protect passwords.
    6. Virus and Malware Controls. The Parties protect Personal Data from malicious code and will install and maintain anti-virus and malware protection software on all system endpoints that handle Personal Data and will maintain applicable controls on web servers.
    7. Personnel. The Parties have implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
    8. Business Continuity. The Parties implement disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. The Parties also adjust the Information Security Program in light of new laws and circumstances, including as business and Processing change.