Data Privacy Addendum (“DPA”)

Lummio Platform

This Data Processing Addendum (“DPA”) supplements and forms part of the Lummio Terms & Conditions (the “Terms”) between Lummio, LLC (“Lummio”) and the subscribing client identified in the Terms (“Client”). Capitalized terms not defined in this DPA have the meanings given to them in the Terms.

If the Client executes a separate written data processing agreement with Lummio, that agreement will supersede this DPA. In the event of any conflict between this DPA and the Terms, this DPA shall control with respect to the Processing of Client Data.

1. Definitions

Applicable Privacy Laws – all data-protection and privacy laws, regulations, and self-regulatory frameworks that apply to the Processing of Client Data under the Terms (for example, FERPA, COPPA, SOPPA, GDPR, UK GDPR, CCPA/CPRA, and any state equivalents), in each case as amended or replaced.

Controller / Processor / Data Subject / Personal Data / Personal Data Breach / Processing – have the meanings set out in the GDPR (or, where the GDPR does not apply, the analogous terms under applicable law).

Client Data – has the meaning given in the Terms; for clarity it includes Student Data and Education Records where those terms are defined by Applicable Privacy Laws.

Student Data – Client Data that relates to a current or former student or prospective student of the Client and, where applicable, the student’s parent or legal guardian.

Education Records – “education records” as defined in FERPA that are provided to Lummio by Client or its users.

Sub-processor – any third party engaged by Lummio that Processes Client Data on Lummio’s behalf.

De-identified Data – data that cannot reasonably be used to identify an individual, taking into account the means reasonably likely to be used.

2. Purpose and Roles

The parties acknowledge and agree that, for the purposes of Applicable Privacy Laws, Client is the Controller (or equivalent) and Lummio is the Processor (or equivalent) with respect to Client Data that Lummio Processes on the Client’s behalf in connection with the Services.

Lummio will Process Client Data solely for the following purposes (the “Permitted Purposes”):

● to provide, secure, support, and improve the Services in accordance with the Terms;

● to comply with Client’s documented instructions and Applicable Privacy Laws; and

● as otherwise agreed in writing by the parties.

3. Client Instructions

Client instructs Lummio to Process Client Data for the Permitted Purposes. Additional instructions must be mutually agreed in writing.

Client is responsible for ensuring that its instructions comply with Applicable Privacy Laws and do not cause Lummio to violate any law.

4. Compliance & Cooperation

Each party will comply with the obligations that apply to it under Applicable Privacy Laws. Where required by Applicable Privacy Laws, Client will:

● obtain and document all necessary consents and notices to enable lawful Processing of Client Data by Lummio; and

● respond to Data Subject requests and other inquiries concerning Client Data, with Lummio providing reasonable assistance (see Section 9).

Lummio shall not be liable for compliance with any instruction that violates applicable law, and reserves the right to refuse such instructions.

5. Sub-processing

Lummio may engage third-party Sub-processors to Process Client Data, provided that Lummio imposes data protection obligations on such Sub-processors that are no less protective than those set out in this DPA.

Lummio remains responsible for the acts and omissions of its Sub-processors. Upon written request, Lummio shall make available a list of current Sub-processors.

6. Security of Processing

Lummio will implement and maintain appropriate technical and organisational measures designed to protect Client Data against unauthorised or unlawful Processing and against accidental loss, destruction, alteration, or disclosure.

Lummio will ensure that persons authorised to Process Client Data are bound by confidentiality obligations.

Lummio shall not use Client Data for targeted advertising, marketing, or cross-site tracking. Lummio may create and maintain individual student profiles only to the extent necessary to provide the Services, and such profiles shall not be used for any commercial or non-educational purpose.

Lummio shall not re-identify or attempt to re-identify any de-identified or aggregated data, nor combine it with other datasets in a manner that could reasonably permit re-identification.

7. Personal Data Breach

Lummio will notify Client without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Client Data. The notice will include reasonably available information to help Client meet its breach-notification obligations.

Lummio will take reasonable steps to mitigate the effects of the breach and will cooperate with Client.

8. Data Retention and Deletion

Upon termination or expiry of the Terms (or earlier at Client’s written request), Lummio will delete or return Client Data in accordance with the Terms, unless Lummio is required by law to retain it.

Lummio may retain De-identified Data after termination.

9. Data Subject Requests & Government Inquiries

Taking into account the nature of the Processing, Lummio will provide reasonable assistance to the Client in fulfilling its obligations to respond to Data Subject requests under Applicable Privacy Laws (e.g., access, correction, deletion), to the extent the Client is unable to access or fulfill such requests directly via the Services.

Routine user-initiated actions made via the Services’ user interface (e.g., profile edits) do not constitute formal Data Subject requests requiring Client instruction. Lummio shall, however, promptly notify the Client upon receiving any Data Subject request or government inquiry that is submitted outside the normal operation of the Services, unless legally prohibited from doing so.

10. Audits and Certifications

Upon written request and not more than once per year, Lummio will provide a summary of its security controls and practices reasonably sufficient to demonstrate compliance with this DPA, subject to reasonable confidentiality protections.

Client may conduct a reasonable audit (or appoint an independent auditor) only if required by Applicable Privacy Laws and if Lummio’s documentation does not provide sufficient evidence of compliance. Any such audit shall be conducted remotely, subject to reasonable confidentiality and security protocols, upon thirty (30) days’ prior written notice, and must not unreasonably interfere with Lummio’s operations. The Client shall bear all audit costs.

11. International Data Transfers

Lummio will ensure that all storage and processing of Client Data complies with applicable data protection laws. Where data is transferred across borders, Lummio will implement appropriate safeguards, including Standard Contractual Clauses where required.

12. FERPA and Student Privacy (U.S.-Specific)

To the extent FERPA applies, Lummio is deemed a “school official” with a legitimate educational interest and will comply with FERPA’s requirements. Lummio will not disclose Education Records except as permitted by FERPA or Client.

13. Miscellaneous

Liability

The limitations of liability in the Terms apply to this DPA.

Governing Law

This DPA is governed by the same law as the Terms.

Term

This DPA is effective on the Effective Date of the Terms and terminates when Lummio no longer Processes Client Data, subject to Section 8.

If required by the Client’s internal policies or applicable law, a mutually executed copy of this Data Processing Addendum may be made available upon request.