ENTERPRISE DATA PROTECTION ADDENDUM


This DPA supplements and forms part of the Agreement. Unless otherwise defined in this DPA or the Agreement, all capitalized terms used in this DPA will have the meanings given to them in clause 1 of this DPA. This DPA remains in effect during the Term.

1. Definitions and interpretation

1.1 Unless otherwise defined in this DPA or the Agreement, all capitalized terms used in this DPA will have the following meanings:

"Adequate Country” means any country or territory which, under Applicable Data Protection Laws to which the data exporter is subject, is deemed to offer an adequate level of protection for Personal Data such that no further safeguards are required in order to transfer Personal Data to that country or territory.

“Agreed Purposes” has the meaning given to that term in clause 2.2.

“Agreement” means the agreement between Coursera and Organization where Coursera provides Services to Organization.

“Applicable Data Protection Laws” means all data protection, privacy and data security laws and regulations, applicable to and binding on a party in the performance of this DPA, including as applicable, the EU Data Protection Laws, the UK Data Protection Laws, the Swiss Data Protection Laws, the US Privacy Laws, and LGPD, each as may be amended, replaced, or supplemented from time to time.

“Brazil SCCs” means the Standard Contractual Clauses for International Data Transfers issued by the Autoridade Nacional de Proteção de Dados Pessoais under Resolution CD/ANPD No.19, dated August 23, 2024, as may be amended or replaced from time to time, and currently attached as Exhibit G of this DPA.

“CCPA” means the California Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with any implementing regulations.

“Controller”, “Data Subject”, “Personal Data”, “Processor”, “process / processing”, “Sub-processor” have the meanings set out in GDPR, except to the extent that any Personal Data or information relates to a resident of any other jurisdiction with Applicable Data Protection Laws, including the CCPA, in which case the equivalent and/or additional meanings (including for "Business", "Service Provider", and "Resident" under CCPA) set out in Applicable Data Protection Laws, shall apply.

“Coursera” means the Coursera entity and its affiliates that entered into the Agreement.

“Coursera Platform” means the online education platform provided by Coursera.

“Coursera Program” means specific online courses or other educational content made available to Users on the Coursera Platform under the Agreement.

“Coursera Privacy Notice” means the privacy notice that Coursera provides to Users, currently located at: https://www.coursera.org/about/privacy.

“data exporter” has the meaning given to that term in clause 4.

“Data Privacy Frameworks” means EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework.

“DPA” means this Enterprise Data Protection Addendum, including its Exhibits.

“EEA” means those countries that are part of the European Economic Area, from time to time.

“EU Data Protection Laws” means all applicable laws relating to data protection, privacy, and the processing of Personal Data in the EEA including the GDPR.

“EU SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Invitation Data” means the Personal Data of Users, including as specified in Exhibit B, made available to Coursera by Organization for the purposes of inviting Users to access the Coursera Platform.

“LGPD” means the Lei Geral de Proteção de Dados Pessoais (Brazilian General Data Protection Law), Law No. 13,709/2018, as amended.

“Organization” means the entity named in the Agreement that receives the Services from Coursera.

“Personal Data Breach” means any breach of security that results in the accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access to Invitation Data processed by Coursera on Organization’s behalf.

“Restricted Transfer” means a transfer of Invitation Data to a data importer located in a country which is not an Adequate Country, in circumstances where such transfer is subject to any of: (i) EU Data Protection Laws; (ii) UK Data Protection Laws; (iii) Swiss Data Protection Laws; (iv) the LGPD; or (v) any other applicable regional, federal or national laws or regulation applicable in a country outside the EEA, UK, Switzerland and Brazil, which prohibits or restricts the transfer of Personal Data from that region or country.

“SCCs” means the EU SCCs or the Brazil SCCs (as applicable).

“Sell” has the meaning given to that term under US Privacy Laws.

“Services” means the services provided by Coursera to Organization pursuant to and specified in the Agreement, including inviting and enabling Users to set up Coursera accounts and providing the Coursera Program to Users.

“Share” has the meaning given to that term under US Privacy Laws.

“Swiss Addendum” means the Swiss addendum to the SCCs, which is appended to this DPA at Exhibit F.

“Swiss Data Protection Laws” means all applicable laws relating to data protection, privacy and the processing of Personal Data in Switzerland including the Swiss Federal Data Protection Act.

“Term” means the term of this DPA which runs from the effective date of the Agreement until its expiry or termination.

“US Privacy Laws” means all applicable laws in the United States relating to data protection, privacy, data security, and data breach notification, including the CCPA, and any other similar state or federal laws.

“UK Addendum” means the UK International Data Transfer Addendum to the SCCs, which is appended to this DPA at Exhibit E.

“UK Data Protection Laws” means all applicable laws relating to data protection, privacy and the processing of Personal Data in the UK including the UK GDPR and the Data Protection Act 2018.

“UK GDPR” means the retained EU law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by: (i) Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419); and (ii) the Data (Use and Access) Act 2025.

“User” means an individual who is employed with or authorised by Organization to access the Coursera Platform via the Services.

“User Data” means the Personal Data of Users (excluding Invitation Data), processed by Coursera for the purposes set out in the Coursera Privacy Notice.

“User Progress Data” means the Personal Data of Users, made available to Organization by Coursera in connection with Users’ progress and achievements on the Coursera Program.

2. Personal Data Processing

2.1 Organization acts as the Controller of Invitation Data, and Coursera acts as a Processor of Invitation Data on behalf of Organization, except where Organization itself acts as a Processor, in which case Coursera acts as a Sub-processor.

2.2 Coursera acts as an independent Controller of User Data and both parties act as independent Controllers of User Progress Data. Coursera may share User Progress Data with Organization for the purpose of evaluating User engagement with the Coursera Program (the “Agreed Purposes”). The parties agree that: (a) the disclosure and use of User Progress Data for the Agreed Purposes does not constitute the Selling or Sharing of User Progress Data; and (b) Organization is solely responsible for its processing of User Progress Data for any purpose other than the Agreed Purposes.

2.3 The parties will each comply with all laws, rules and regulations applicable to and binding on them in the performance of this DPA, including Applicable Data Protection Laws. Organization warrants and represents that it, or where applicable the Controller on whose behalf it acts, will provide all required notices and obtain any necessary consents, authorizations, or other permissions for the lawful processing of Invitation Data.

2.4 To the extent the parties process each other’s business contact information or other business-to-business data in the ordinary course of their relationship (for example, for contract administration, billing, or relationship management), each party acts as an independent Controller and will comply with its respective obligations under Applicable Data Protection Laws in relation to that processing.

3. Coursera’s obligations

3.1 Coursera will:

3.1.1 process the Invitation Data in accordance with the Agreement (including this DPA) only as follows:

(a) to provide the Services; and

(b) as further specified via:

(i) Organization’s use of the Services; and

(ii) any other written instructions given by Organization and acknowledged by Coursera as constituting instructions under this DPA (collectively, the “Documented Instructions”).

Coursera will comply with the Documented Instructions unless required to do otherwise by applicable law. Coursera will notify Organization if it is required to process Invitation Data other than in accordance with Organization’s Documented Instructions (unless applicable law prohibits the giving of such notice);

3.1.2 not: (i) Sell or Share Invitation Data; (ii) retain, use, or disclose Invitation Data for any purpose except as permitted in the Agreement or under the Applicable Privacy Laws, or (iii) retain, use, or disclose Invitation Data outside of the direct business relationship between the parties;

3.1.3 implement and maintain technical and organisational measures and procedures to protect Invitation Data against the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access, as described in Exhibit A;

3.1.4 promptly forward any Data Subject requests relating to Invitation Data to Organization;

3.1.5 reasonably assist Organization with meeting Organization’s compliance obligations under Applicable Data Protection Laws, taking into account the nature of Coursera’s processing and the information available to Coursera, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with a relevant regulator under Applicable Data Protection Laws;

3.1.6 impose appropriate confidentiality obligations on its personnel who process Invitation Data;

3.1.7 notify Organization of a Personal Data Breach without undue delay and no later than 48 hours after becoming aware of the Personal Data Breach, and provide reasonable information and assistance to enable Organization to meet its obligations under Applicable Data Protection Laws; and

3.1.8 after termination or expiry of the Agreement, delete or, if directed in writing by Organization, return, Invitation Data, unless required by applicable law to retain Invitation Data.

4. Cross-border transfers of Personal Data

4.1 For as long as Coursera remains certified under the Data Privacy Frameworks, the parties agree that applicable Restricted Transfers of Invitation Data from Organization to Coursera under this DPA will be made in reliance on the applicable Data Privacy Framework.

4.2. If Coursera is no longer certified under the applicable Data Privacy Framework, or if the Data Privacy Framework is not recognised as a valid transfer mechanism under Applicable Data Protection Laws, the parties agree that any Restricted Transfer of: (1) Invitation Data from Organization (as "data exporter") to Coursera (as “data importer”); or (2) User Progress Data from Coursera (as “data exporter”) to the Organization (as “data importer”) will be made in accordance with the SCCs, the UK Addendum, or the Swiss Addendum, each as applicable.

4.3 In respect of Invitation Data, the parties agree that the EU SCCs will be amended as follows:

4.3.1 Module Two (Controller to Processor) will apply where Organization is the Controller and Coursera is the Processor, and Module Three (Processor to Processor) will apply where Organization is the Processor and Coursera is a Sub-processor;

4.3.2 in Clause 7, the optional docking clause will not apply;

4.3.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be 30 working days;

4.3.4 in Clause 11(a), the optional language will not apply;

4.3.5 in Clause 17, Option 1 will apply, and the SCCs will be governed by Dutch law; and

4.3.6 in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; and Annexes I, II and III of the SCCs will be deemed completed with the information set out in Exhibits B, C, and D.

4.4 In respect of User Progress Data, the Parties agree that the EU SCCs will be amended as follows:

4.4.1 Module One (Controller to Controller) will apply where both parties act as independent Controllers;

4.4.2 in Clause 7, the optional docking clause will not apply;

4.4.3 in Clause 11(a), the optional language will not apply;

4.4.4 in Clause 17, Option 1 will apply, and the SCCs will be governed by Dutch law; and

4.4.5 in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; and Annexes I and II of the SCCs will be deemed completed with the information set out in Exhibits B and C.

4.5 If and to the extent that a Restricted Transfer is subject to the laws of any other jurisdiction outside of the EEA, the UK and Switzerland, the incorporated SCCs will be interpreted as necessary to enable the laws of the relevant jurisdiction to be complied with. In particular:

4.5.1 “European Union” or “EU Member State” will be replaced with the jurisdiction of the data exporter;

4.5.2 “Regulation (EU) 2016 / 679” and all references to the Regulation shall mean the equivalent applicable data protection or privacy law of the jurisdiction of the data exporter which governs international transfers of Personal Data; and

4.5.3 references to Supervisory Authority will mean the data protection authority of the relevant jurisdiction.

4.6 To the extent that the SCCs, the UK Addendum, or the Swiss Addendum are no longer recognised as valid transfer mechanisms under Applicable Data Protection Laws, the parties will work together to implement an alternative transfer mechanism under Applicable Data Protection Laws.

5. Sub-Processors

5.1 Organization provides general authorization to Coursera’s use of the Sub-processors of Invitation Data listed in Exhibit D (each a “Coursera Sub-processor").

5.2 Coursera will enter into a written contract with each Coursera Sub-processor that, taking into account the nature of the services provided by the Coursera Sub-processor, contains terms no less onerous than those set out in this DPA. Coursera will be responsible for any failures of any Coursera Sub-processor to fulfil the obligations imposed on the Coursera Sub-processor.

5.3 Coursera will provide Organization with 30 days’ notice, where it intends to appoint a new Sub-processor. Organization will have the opportunity to object to such appointment on reasonable grounds, by giving written notice to Coursera within that 30 day period.

5.4 If Organization objects to the appointment of any proposed Sub-processor, Coursera will make reasonable efforts to propose an appropriate change to the Services to accommodate (in whole or part) Organization’s objections to the proposed Sub-processor. If Coursera does not propose such a change within 30 days of receipt of Organization’s notice provided under clause 5.3, or if Organization refuses any such proposed change, Organization may terminate the Agreement in accordance with its terms.

6. Audit

6.1 In addition to the information contained in this DPA, upon Organization’s request, and subject to an applicable non-disclosure agreement between the parties, Coursera will make available information reasonably necessary to demonstrate compliance with the obligations of this DPA (“Audit Information”). Audit Information includes the results of independent third-party audits and certifications, including: (i) the certificates issued in respect of Coursera’s ISO 27001 certification; and/or (ii) Coursera’s System and Organization Controls (SOC) 2 Report.

6.2 Organization chooses to conduct any audit, including any inspection, it has the right to request or mandate on its own behalf, and on behalf of its Controllers where Customer is acting as a Processor, under Applicable Data Protection Laws or the SCCs by instructing Coursera to carry out the audit described in clause 6.1. If Organization wishes to change this instruction regarding the audit, then Organization has the right to request a change to the instruction by providing Coursera written notice as provided for in the Agreement.

7. Entire Agreement; Conflict. This DPA incorporates the SCCs by reference. Except as expressly amended by this DPA, the Agreement remains in full force and effect. In the event of a conflict, the following order of precedence applies: the SCCs, the UK Addendum, and the Swiss Addendum will prevail over this DPA, and this DPA will prevail over the Agreement.



EXHIBIT A

COURSERA SECURITY STANDARDS

1. Information Security Program. Coursera will maintain an information security program designed to (a) enable Organization to secure Invitation Data against accidental or unlawful loss, unauthorized access, or disclosure; (b) identify reasonably foreseeable risks to the security and availability of the Coursera Platform; and (c) minimize physical and logical security risks to the Coursera Platform, including through regular risk assessments and testing. Coursera will designate one or more employees to coordinate and be accountable for the implementation and maintenance of the information security program. Coursera maintains ISO/IEC 27001 certification for its information security program.

Coursera’s Information Security Program will include the following measures:

1.1 Logical Security.

A. Access Controls. Coursera will make the Coursera Platform accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Coursera will maintain access controls and policies to manage authorizations for access to the Coursera Platform from each Platform connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. Coursera will maintain access controls designed to (i) restrict unauthorized access to data, and (ii) segregate each Organization’s data from other Organizations’ data.

B. Restricted User Access. Coursera will (i) provision and restrict user access to the Coursera Platform in accordance with the principle of least privilege based on personnel job functions, (ii) require review and approval prior to provisioning access to the Coursera Platform beyond least privilege, including administrator accounts; (iii) require at least quarterly review of Coursera Platform access privileges and, where necessary, revoke Coursera Platform access privileges in a timely manner, and (iv) require two-factor authentication for remote access to the Coursera Platform.

C. Vulnerability Assessments. Coursera will perform regular external vulnerability assessments and penetration testing of the Coursera Platform, and will investigate identified issues and track them to resolution in a timely manner.

D. Application Security. Before publicly launching new Services or significant new features of existing Services, Coursera will perform application security reviews designed to identify, mitigate, and remediate security risks.

E. Change Management. Coursera will maintain controls designed to log, authorize, test, approve and document changes to existing Coursera Platform resources, and will document change details within its change management or deployment tools. Coursera will test changes according to its change management standards prior to migration to production. Coursera will maintain processes designed to detect unauthorized changes to the Coursera Platform and track identified issues to resolution in a timely manner.

F. Data Integrity. Coursera will maintain controls designed to provide data integrity during transmission, storage, and processing within the Coursera Platform. Coursera will provide Organizations the ability to delete their Invitation Data from the Coursera Platform.

G. Business Continuity and Disaster Recovery. Coursera will maintain a formal risk management program designed to support the continuity of its critical business functions (“Business Continuity Program”). The Business Continuity Program includes processes and procedures for the identification of, response to, and recovery from events that could prevent or materially impair Coursera’s provision of the Services (a “BCP Event”). The Business Continuity Program includes a three-phased approach that Coursera will follow to manage BCP Events:

(i) Activation & Notification Phase. As Coursera identifies issues likely to result in a BCP Event, Coursera will escalate, validate, and investigate those issues. During this phase, Coursera will analyze the root cause of the BCP Event.

(ii) Recovery Phase. Coursera assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected Services.

(iii) Reconstitution Phase. Coursera leadership reviews actions taken and confirms that the recovery effort is complete and the affected portions of the Services and Coursera Platform have been restored. Following such confirmation, Coursera conducts a post-mortem analysis of the BCP Event.

H. Incident Management. Coursera will maintain incident response and corrective action plans to respond to potential security threats to the Coursera Platform. Coursera’s incident response plans will have defined processes to detect, mitigate, investigate, and report security incidents. Such plans will include incident verification, attack analysis, containment, data collection, and problem remediation.

I. Storage Media Decommissioning. Coursera will maintain a media decommissioning process that is conducted prior to final disposal of storage media used to store Invitation Data. Prior to final disposal, storage media that has been used to store Invitation Data will be degaussed, erased, purged, physically destroyed, or otherwise sanitized in accordance with industry standard practices designed to ensure that the Invitation Data cannot be retrieved from the applicable type of storage media.

1.2 Physical Security.

A. Access Controls. Coursera will (i) implement and maintain physical safeguards designed to prevent unauthorized physical access, damage, or interference with the Coursera Platform, (ii) use appropriate control devices to restrict physical access to the Coursera Platform to only authorized personnel who have a legitimate business need for such access, (iii) monitor physical access to the Coursera Platform using intrusion detection systems designed to monitor, detect, and alert appropriate personnel of security incidents, (iv) log and regularly audit physical access to the Coursera Platform, and (v) perform periodic reviews to validate adherence with these standards.

B. Availability. Coursera will (i) implement redundant systems for the Coursera Platform designed to minimize the effect of a malfunction on the Coursera Platform, (ii) design the Coursera Platform to anticipate and tolerate hardware failures, and (iii) implement automated processes designed to move Invitation Data traffic away from the affected area in the case of hardware failure.

1.3 Coursera Employees.

A. Employee Security Training. Coursera will implement and maintain employee security training programs regarding its Coursera information security requirements. The security awareness training programs will be reviewed and updated at least annually.

B. Background Checks. Where permitted by law, and to the extent available from applicable governmental authorities, Coursera will require that each employee undergo a background investigation upon hire and periodically thereafter, as appropriate for that employee’s position and level of access to the Coursera Platform.

C. Continued Evaluation. Coursera will conduct periodic reviews of the information security program for the Coursera Platform. Coursera will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.


EXHIBIT B

DESCRIPTION OF THE PROCESSING ACTIVITIES AND ANNEX I TO MODULE 1, 2 AND 3 OF THE SCCS

PART A - LIST OF PARTIES:

INVITATION DATA

Data exporterData importer
Name: Organization, as defined in the AgreementName: Coursera, Inc.
Address: Organization’s address, as set out in the AgreementAddress: 2440 West El Camino Real, Mountain View, CA 94040
The specified contact person for Organization, as set out in the notice provisions or address section of the AgreementContact person name: Privacy @ Coursera. Contact person position: N/A. Contact details: privacy@Coursera.org
Role: Controller or ProcessorRole: Processor or Sub-processor
Signature and Date: See execution pages aboveSignature and Date: See execution pages above

USER PROGRESS DATA

Data exporterData importer
Name: Coursera, Inc.Name: Organization, as defined in the Agreement
Address: 2440 West El Camino Real, Mountain View, CA 94040Address: Organization’s address, as set out in the Agreement
Contact person name: Privacy @ Coursera. Contact person position: N/A. Contact details: privacy@Coursera.orgThe specified contact person for Organization, as set out in the notice provisions or address section of the Agreement
Role: ControllerRole: Controller
Signature and Date: See execution pages aboveSignature and Date: See execution pages above

Part B - DESCRIPTION OF PROCESSING AND ACTIVITIES RELEVANT TO THE DATA TRANSFERRED

INVITATION DATA

Categories of data subjectsUsers
Categories of personal data processed and transferredName; Work email address; Any additional User profile information that Organization provides, such as employee ID, job title, team, manager and location.
Sensitive data processed and transferredN/A
Frequency of the processing and transferContinuous during the Term.
Nature of the processing and transferThe processing is required in order for Coursera to provide the Services in accordance with the Agreement.
Purpose of the processing and transferInviting Users to, and enabling them to register with, the Coursera Platform, and access the Coursera Program.
Duration of the processing and transferLength of the Term. Any retention of Invitation Data beyond the Term will be in accordance with this DPA and Coursera's data retention policy.
Subject matter, nature and duration of processing for transfers to Sub-processorsThe subject matter, nature and duration of the processing by Sub-processors will reflect the description of processing and activities relevant to the transfer, as set out in this Part B.

USER PROGRESS DATA

Categories of data subjectsUsers
Categories of personal data processed and transferredIdentity & Profile (name, work email address, external user ID, job title, job type, business unit, location and manager details); Learning Activity & Progress (course enrollments and enrollment timestamps, course progress percentages and learning hours, grades, pass/fail status, assessment attempt timestamps and attempt counts, course specialization completion status and timestamps, last activity timestamps, video clip viewing activity, skill scores and proficiency levels); Credentials (course certificate URLs, specialization certificate URLs and learning path badge data); Program Membership (membership status, join and invitation dates, program and contract associations); and Integrity (plagiarism/proctoring flag, evidence, status and details).

| Sensitive data processed and transferred | N/A | | Frequency of the processing and transfer | Continuous during the Term. | | Nature of the processing and transfer | The processing is required in order for Coursera to provide the Services in accordance with the Agreement. | | Purpose of the processing and transfer | Evaluating User engagement with the Coursera Program. | | Duration of the processing and transfer | Length of the Term. Any retention of User Progress Data beyond the Term will be in accordance with this DPA and the Organization's data retention policy. | | Subject matter, nature and duration of processing for transfers to Sub-processors | N/A |

PART C - COMPETENT SUPERVISORY AUTHORITY

(i) With respect to the processing of Invitation Data or User Progress Data to which EU Data Protection Laws apply, the competent supervisory authority is the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (or any replacement Dutch authority).

(ii) With respect to the processing of Invitation Data or User Progress Data to which UK Data Protection Laws apply, the competent supervisory authority is the UK Data Protection Authority, the Information Commissioner's Office (or any replacement UK authority).

(iii) With respect to the processing of Invitation Data or User Progress Data to which Swiss Data Protection Laws apply, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (or any replacement Swiss authority).

(iv) With respect to processing of Invitation Data or User Progress Data to which any other data protection law applies, the competent supervisory authority will be the authority that has competence, under applicable laws, over the relevant data exporter.

EXHIBIT C

TECHNICAL AND ORGANIZATIONAL MEASURES AND ANNEX II TO THE SCCS

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The technical and organizational measures (including the certifications held by the data importer) as well as the scope and the extent of the assistance required to respond to data subject’s requests, are described in the DPA.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

The technical and organizational measures that the data importer will impose on sub-processors are described in the DPA.

EXHIBIT D

LIST OF APPROVED SUB-PROCESSORS AND ANNEX III TO THE SCCS

NameProcessing LocationPurpose
Bird.com Inc.Virginia, USA and Oregon, USACloud-based email service
Amazon Web Services, Inc.USACloud storage service provider
Coursera UK LimitedUKEngineering and customer support
Coursera Canada LimitedUSAEngineering and customer support
Coursera Australia Pty LtdAustraliaEngineering and customer support
Coursera India Private LimitedIndiaEngineering and customer support
Coursera France SASFranceEngineering and customer support
Coursera Germany GmbHGermanyEngineering and customer support
Coursera LimitedSaudi ArabiaEngineering and customer support
Coursera Singapore Pte. LimitedSingaporeEngineering and customer support
Coursera, FZ-LLCUnited Arab EmiratesEngineering and customer support

EXHIBIT E

UK ADDENDUM TO THE SCCS

This Addendum has been issued by the Information Commissioner for parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

PART 1: TABLES

Table 1: Parties

Start dateThe effective date for each party will be the effective date of the Agreement.
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties' detailsFull legal name: See Exhibit B Part A; Trading name if different: N/A; Main address (if a company registered address): See the top of the Agreement; Official registration number (if any) (company number or similar identifier): See the top of the AgreementFull legal name: See Exhibit B Part A; Trading name if different: N/A; Main address (if a company registered address): See the top of the Agreement; Official registration number (if any) (company number or similar identifier): See the top of the Agreement
Key ContactSee Exhibit B Part ASee Exhibit B Part A
Signature (if required for the purposes of Section 2)See execution pages aboveSee execution pages above

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: the Effective Date; Reference (if any): See clauses 4.3 and 4.4 of this DPA and the definition of SCCs; Other identifier (if any): As above

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the parties), and which for this Addendum is set out in:

Annex I Part A: List of Parties: See Exhibit B Part A.

Annex I Part B: Description of Transfer: See Exhibit B Part B.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit C

Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit D

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19: neither Party

PART 2: MANDATORY CLAUSES

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of those Mandatory Clauses.

EXHIBIT F

SWISS ADDENDUM TO THE SCCS

1. Date of this Addendum:

The SCCs are dated on the date this DPA was signed. This Addendum is effective from the same date as the SCCs.

2. Interpretation of this Addendum

Where this Addendum uses terms that are defined in the Annex, those terms will have the same meaning as in the Annex. In addition, the following terms have the following meanings:

This AddendumThis Addendum to the SCCs
The AnnexThe Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and as defined in this DPA
Swiss Data Protection LawsAs defined in this DPA

3.This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.

4.This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

5.Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

6. Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the SCCs or other related agreements between the parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

7. Incorporation of the Clauses

This Addendum incorporates the SCCs which are deemed to be amended to the extent necessary so they operate:

7.1 for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer; and

7.2 to provide appropriate safeguards for the transfers in accordance with Swiss Data Protection Laws.

8.The amendments to the SCCs required by Section 7 above, include (without limitation):

8.1 References to the “SCCs” means this Addendum as it incorporates the SCCs. 8.2 Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”

8.3 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of Swiss Data Protection Laws.

8.4 References to Regulation (EU) 2018/1725 are removed.

8.5 References to the “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.

8.6 Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner.

8.7 Clause 17 is replaced to state “These Clauses are governed by the laws of Switzerland”.

8.8 Clause 18 is replaced to state:

“Any dispute arising from these Clauses shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts.”

8.9 The footnotes to the Clauses do not form part of the Addendum.

9. Amendments to this Addendum

The parties may amend this Addendum provided it maintains the appropriate safeguards required by the Swiss Data Protection Laws for the relevant transfer by incorporating the Clauses and making changes to them in accordance with Section 7 above.

EXHIBIT G

BRAZIL SCCs

Section I - General Information

CLAUSE 1. Identification of the Parties

1.1. By this contractual instrument, the Exporter and the Importer (hereinafter, Parties), identified below, agree to adopt the standard contractual clauses (hereinafter Clauses) approved by the Brazilian Data Protection Authority (ANPD), to govern the International Data Transfer described in Clause 2, in accordance with the provisions of Brazilian Legislation.

Name: The customer specified in the Agreement.

Qualification: As specified in the Agreement.

Main address: Address specified in the Agreement.

Email address: Email address specified in the Agreement.

Contact for the Data Subject: Email address specified in the Agreement.

Other Information: N/A.

(X) Exporter/Controller ( ) Exporter/Processor

Name: Coursera, Inc.

Qualification: As specified in the Agreement.

Main address: 381 E. Evelyn Ave., Mountain View, CA 94041.

Email address: privacy@coursera.org

Contact for the Data Subject: privacy@coursera.org

Other Information: N/A.

( ) Importer/Controller (X) Importer/Processor

CLAUSE 2. Object

2.1. These Clauses apply to the International Data Transfers from the Exporter to the Importer, as described below.

Description of the international data transfer: The Importer will process personal data to invite the Exporter’s staff or affiliates to the Importer’s platform.

Main purposes of the international data transfer: To enable the Importer to invite the Exporter’s staff or affiliates to the Importer’s platform.

Categories of personal data transferred: Transferred personal data can include, for example, name, email address and employee ID.

Data retention period: Length of the contract or deletion upon request from the Exporter.

Other information: N/A.

CLAUSE 3. Subsequent Transfers

OPTION B. 3.1. The Importer may carry out Subsequent Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses in the cases and under the conditions described below and provided that the provisions of Clause 18 are observed.

Main purposes of the international data transfer: To engage sub-processors (as described in the DPA).

Categories of personal data transferred: Transferred personal data can include, for example, name, email address and employee ID.

Data retention period: Length of the contract or deletion upon request from the Exporter. Other information: N/A.

CLAUSE 4. Responsibilities of the Parties OPTION A. 4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, in the capacity of Controller, shall be responsible for fulfilling the following obligations provided for in these Clauses:

a) Responsible for publishing the document provided for in Clause 14:

(X) Exporter ( ) Importer

b) Responsible for responding to data subject requests as provided for in Clause 15:

(X) Exporter ( ) Importer

c) Responsible for communicating security incidents as provided for in Clause 16:

(X) Exporter ( ) Importer

4.2 For the purposes of these Clauses, if it is later verified that the Designated Party under item 4.1 acts as a Processor, the Controller shall remain responsible:

a)for fulfilling the obligations provided for in Clauses 14, 15, and 16 and other provisions established in Brazilian Legislation, especially in case of omission or non-compliance with the obligations by the Designated Party;

b) for complying with ANPD's determinations; and

c) for guaranteeing the Data Subjects’ rights and for repairing damages caused, as provided for in Clause 17.

Section II - Mandatory Clauses

CLAUSE 5. Purpose

5.1. These Clauses are presented as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for carrying out the International Data Transfer and aim to guarantee the adoption of adequate safeguards for compliance with the principles, the rights of the Data Subject and the data protection regime provided for in National Legislation.

CLAUSE 6. Definitions

6.1. For the purposes of these Clauses, the definitions in art. 5 of LGPD, and art. 3 of the Regulation on the International Transfer of Personal Data shall be considered, without prejudice to other normative acts issued by ANPD. The Parties also agree to consider the terms and their respective meanings, as set out below:

(a) Processing agents: the controller and the processor;

(b) ANPD: National Data Protection Authority;

(c) Clauses: the standard contractual clauses approved by ANPD, which are part of Sections I, II and III;

(d) Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third-party, including a Third-Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;

(e) Controller: Party or third-party (“Third Controller”) responsible for decisions regarding the processing of Personal Data;

(f) Personal Data: information related to an identified or identifiable natural person;

(g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;

(h) Erasure: exclusion of data or dataset from a database, regardless of the procedure used;

(i) Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;

(j) Importer: processing agent, located in a foreign country who receives personal data from the Exporter;

(k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by ANPD;

(l) Arbitration Law: Law No. 9,307, of September 23, 1996;

(m) Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;

(n) Research Body: body or entity of the government bodies or associated entities or a non-profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;

(o) Processor: Party or third party, including a Subprocessor, which processes Personal Data on behalf of the Controller;

(p) Designated Party: Party or a Third-Party Controller, under the terms of CLAUSE 4, designated to fulfill specific obligations regarding transparency Data Subjects’ rights and notifying security incidents;

(q) Parties: Exporter and Importer;

(r) Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;

(s) Subprocessor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer

(t) Third-Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to Clause 4 (“Option B”);

(u) Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;

(v) Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;

(w) International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and

(x) Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third-party, including a Subprocessor, provided that it does not constitute an Access Request.

CLAUSE 7. Applicable legislation and ANPD supervision

7.1. The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Contract.

CLAUSE 8. Interpretation

8.1. Any application of these Clauses shall occur in accordance with the following terms:

(a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;

(b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;

(c) no item in these Clauses, including a Related Agreement and the provisions set forth in Section IV, shall be interpreted limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and

(d) provisions of Sections I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in Sections III and IV of this agreement or in Related Agreements.

CLAUSE 9. Docking Clause

9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract

9.2. The acceding party shall have the same rights and obligations as the originating parties, according to the position assumed of Exporter or Importer and according to the corresponding category of treatment agent.

CLAUSE 10. General obligations of the Parties

10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures, and, in particular:

(a) use the Personal Data only for the specific purposes described in Clause 2, with no possibility of subsequent processing incompatible with such purposes, subject to the limitations, guarantees and safeguards provided for in these Clauses;

(b) guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;

(c) limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non-excessive data in relation to the Personal Data processing purposes;

(d) guarantee to the Data Subjects, subject to the provisions of Clause 4.

(d.1.) clear, accurate and easily accessible information on the processing activities and the respective processing agents, with due regard for trade and industrial secrecy;

(d.2.) facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and

(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;

(e) to adopt the appropriate security measures and compatible with the risks involved in the International Data Transfer governed by these Clauses;

(f) not to process Personal Data for abusive or unlawful discriminatory purposes;

(g) ensure that any person acting under their authority, including sub-processors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses

(h) keep a record of the Personal Data processing operations of the International Data Transfer governed by these Clauses, and submit the relevant documentation to ANPD, when requested.

CLAUSE 11. Sensitive personal data

11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and to the interests, rights and guarantees to be protected, as described in Section III.

CLAUSE 12. Personal data of children and adolescents

12.1. In case the International Data Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.

CLAUSE 13. Legal use of data

13.1. The Exporter guarantees that Personal Data has been collected, processed and transferred to the Importer in accordance with the National Legislation.

CLAUSE 14. Transparency

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:

(a) the form, duration and specific purpose of the international transfer;

(b) the destination country of the transferred data;

(c) the Designated Party's identification and contact details;

(d) the shared use of data by the Parties and its purpose;

(e) the responsibilities of the agents who conduct the processing;

(f) the Data Subject's rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before ANPD; and

(g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.

14.2. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a prominent and easily accessible format, to the Privacy Policy or equivalent document.

14.3. Upon request, the Parties shall make a copy of these Clauses available, to the Data Subject free of charge, complying with trade and industrial secrecy.

14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.

CLAUSE 15. Rights of the data subject

15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:

(a) confirmation of the existence of processing;

(b) access to data;

(c) correction of incomplete, inaccurate or outdated data;

(d) anonymization, blocking or erasure of unnecessary, or excessive data or data processed in noncompliance with these Clauses and the provisions of National Legislation;

(e) portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrecy;

(f) erasure of Personal Data processed under the Data Subject’s consent, except for the events provided in Clause 20;

(g) information on public and private entities with which the Parties have shared data;

(h) information on the possibility of denying consent and on the consequences of the denial;

(i) withdrawal of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;

(j) review of decisions taken solely on the basis of automated processing of personal data affecting their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality; and

(k) information on the criteria and procedures adopted for the automated decision.

15.2. Data subject may oppose to the processing based on one of the events of waiver of consent, in case of non-compliance with the provisions of these Clauses or National Legislation.

15.3. The deadline for responding to the requests provided for in this Clause and in item 14.3. is 15 (fifteen) days from the date of the data subject's request, except in the event of a different deadline established in specific ANPD regulations.

15.4. In case the Data Subject’'s request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall:

(a) inform the Data Subject of the service channel made available by the Designated Party; or

(b) forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.2.

15.5. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure, except in cases where this communication is demonstrably impossible or involves a disproportionate effort.

15.6. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.

CLAUSE 16. Security Incident Reporting

16.1. The Designated Party shall notify ANPD and the Data Subject, within 3 (three) working days, of the occurrence of a security incident that may entail a relevant risk or damage to the Data Subjects, according to the provisions of National Legislation.

16.2. The Importer must keep a record of security incidents in accordance with National Legislation.

CLAUSE 17. Liability and compensation for damages

17.1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.

17.2. Data Subject may claim compensation for damage caused by any of the Parties as a result of a breach of these Clauses.

17.3. The defense of Data Subjects' interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.

17.4. The Party acting as Processor shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions of item 17.6.

17.5. The Controllers directly involved in the processing activities which resulted in damage to the Data Subject shall be jointly and severally liable for these damages, except for the provisions of item 17.6

17.6. Parties shall not be held liable if they have proven that:

(a) they have not carried out the processing of Personal Data attributed to them;

(b) although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses or National Legislation; or

(c) the damage results from the sole fault of the Data Subject or of a third-party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.

17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in his judgement, the allegation is credible, there is a lack of sufficient evidence or when the Data Subject would be excessively burdened by the production of evidence.

17.8. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.

17.9. The Party which compensates the damage to the Data Subject shall have a right of recourse against the other responsible parties, to the extent of their participation in the damaging event.

CLAUSE 18. Safeguards for Onward Transfers

18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in Clause 3.

18.2. In any case, the Importer:

(a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in Section 2;

(b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third-party recipient of the Onward Transfer; and

(c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third-party recipient of the Onward Transfer.

18.3. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation, regardless of the authorization referred to in Clause 3.

CLAUSE 19. Access Request Notification

19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in the event that notification is prohibited by the law of the country in which the data is processed.

19.2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.

19.3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received, and legal measures implemented.

CLAUSE 20. Termination of processing and erasure of data

20.1. Parties shall erase the Personal Data subject to the International Data Transfer governed by these Clauses after the ending of their processing, being their storage authorized only for the following purposes:

(a) compliance with a legal or regulatory obligation by the Controller;

(b) study by a Research Body, guaranteeing, whenever possible, the anonymization of Personal Data;

(c) transfer to a third-party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and

(d) exclusive use of the Controller, being the access by a third-party prohibited, and provided data have been anonymized.

20.2. For the purposes of this Clause, processing of personal data shall cease when:

(a) the purpose set forth in these Clauses has been achieved;

(b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;

(c) at the termination of the treatment period;

(d) Data Subject's request is met; and

(e) at the order of ANPD, upon violation of the provisions of these Clauses or National Legislation.

CLAUSE 21. Data processing security

21.1. Parties shall implement Security Measures which guarantee sufficient protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.

21.2. Parties shall inform, in Section III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects’ rights, especially in the case of sensitive personal data and that of children and adolescents.

21.3. The Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.

CLAUSE 22. Legislation of country of destination

22.1. The Importer declares that it has not identified any laws or administrative practices of the country receiving the Personal Data that prevent it from fulfilling the obligations assumed in these Clauses.

22.2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.

CLAUSE 23. Non-compliance with the Clauses by the Importer

23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.

23.2. Upon receiving the communication referred to in item 23.1 or upon verification of non-compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:

(a) suspend the International Data Transfer;

(b) request the return of the Personal Data, its transfer to a third-party, or its erasure; and

(c) terminate the contract.

CLAUSE 24. Choice of forum and jurisdiction

24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of residence.

24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.

Section III - Security Measures

The Importer implements security measures designed to:

● deny unauthorized persons access to equipment used for processing Personal Data;

● prevent unauthorized reading, copying, modification, or removal of media containing Personal Data;

● prevent unauthorized input of Personal Data and unauthorized inspection, modification, or deletion of Personal Data;

● prevent use of automated data-processing systems by unauthorized persons;

● provide that persons authorized to use an automated data-processing system only have access to the Personal Data covered by their access authorization;

● enable Data Importer to verify and establish what Personal Data has been or may be transmitted or made available; and

● include commercially reasonable disaster recovery procedures to provide for the continuation of services under the Agreement and backup of Personal Data.

Where appropriate, Personal Data will be encrypted in transmission and at rest, using industry-standard cryptographic techniques and secure management of keys.

Section IV - Additional Clauses and Annexes

Unless defined in Clause 6 above, capitalized terms used but not defined in these Clauses, have the meanings given to them in the agreement and data processing addendum between the parties (together, “Agreement”). The Parties agree that the commercial sections of the Agreement, including liability, termination, duration, and choice of forum, apply wherever they do not conflict with the Brazil SCCs.