2.    Data Processing

a.    Scope and Roles. This DPA applies when Personal Data is transferred between Cimento AI, Inc. and Client. The Parties agree that the status of each Party as a Controller or Processor is a question of fact determined under Applicable Data Protection Laws.

b.    Compliance with Applicable Data Protection Laws. The Parties represent that (a) the Connected User Data shall be lawfully collected and transferred in accordance with Applicable Data Protection Laws (as defined in the DPA); and (b) the Parties have, and shall maintain, the systems and processes in place to ensure compliance with the terms of the Agreement.

c.    Cooperation between the Parties. The Parties will assist each other to comply with requests or complaints of data subjects or supervisory authorities regarding compliance with Applicable Data Protection Laws with regard to Connected User Data. The Parties will notify each other of any requests, enquiries, monitoring activities and similar measures undertaken by supervisory authorities regarding the handling of Personal Data under this DPA.

d.    California Consumer Privacy Act (“CCPA”). To the extent that the CCPA is applicable, the parties acknowledge and agree that where Cimento AI, Inc. is a processor, Cimento AI, Inc. shall also be considered a service provider for the purposes of the CCPA. Cimento AI, Inc. certifies that it understands the rules, restrictions, requirements, and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Cimento AI, Inc. to qualify as a sale of Personal Data under the CCPA. Cimento AI, Inc. acknowledges and confirms that it does not receive any Personal Data from Client as consideration for any services or other items provided to Client. Cimento AI, Inc. shall not sell any Client Data. Cimento AI, Inc. shall not retain, use, or disclose any Client Data except as necessary for the specific purpose of performing the services for Client under the Agreement or otherwise as outlined in the Agreement or as permitted by the CCPA. For purposes of this Section 1.3, the terms “Personal Data,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. 

e.    Family Educational Rights and Privacy Act (“FERPA”). To the extent FERPA is applicable, Cimento AI, Inc. will implement safeguards that: (a) ensure the security and confidentiality of Client Data; (b) protect against any anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to any students. Suppose Cimento AI, Inc. subcontracts with a third party for any of the services that it is required to undertake in furtherance of this Agreement. In that case, Cimento AI, Inc. will take reasonable steps to verify that such third parties implement practices that protect Client Data.

f.    Details of Data Processing.

i.    Subject matter: The subject matter of the data processing under this DPA is personally identifiable Client Data or Connected User Data.

ii.    Duration: As between Cimento AI, Inc. and Client, the duration of the data processing under this DPA is for the Term of the Agreement.

iii.    Purpose: The purpose of the data processing under this DPA is the provision of the Services.

iv.    Nature of the processing: Cimento AI, Inc. will provide a platform for Client to use the Services. 

v.    Categories of Personal Data: Client Data or Connected User Data .

vi.    Categories of data subjects: The data subjects may include Users or Client’s customers, employees, and end-users. 

g.    Storage and Pseudonymizastion. Notwithstanding anything to the contrary in this Agreement, the Parties acknowledge that Cimento AI, Inc. stores Personal Data, including Client Data, in the Approved Data Storage Geographies, and the storage by Cimento AI, Inc. of Personal Data in the United States shall not be deemed a violation of this Section or create a right of action under this Agreement.  Some Services require processing and analysis of Personal Data by Cimento AI, Inc. Affiliates. Such data will be pseudonymized and encrypted in transit and at rest during any such processing.

3.    Client Instructions. The parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Cimento AI, Inc.’s processing of Client Data (“Documented Instructions”). Cimento AI, Inc. will process Client Data only in accordance with Documented Instructions. Client shall obtain all consents required by any Applicable Data Protection Law from Users for Cimento AI, Inc. to lawfully store, transfer, and process Personal Data provided by Client to Cimento AI, Inc. pursuant to the Agreement.  Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Cimento AI, Inc. and Client, including agreement on any additional fees payable by Client to Cimento AI, Inc. for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if Cimento AI, Inc. declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

4.    Government Request for Client Data. If a governmental body sends Cimento AI, Inc. a demand for Client Data, Cimento AI, Inc. will attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Cimento AI, Inc. may provide Client’s basic contact information to the government body. If compelled to disclose Client Data to a government body, then Cimento AI, Inc. will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Cimento AI, Inc. is legally prohibited from doing so.

5.    Confidentiality Obligations of Cimento AI, Inc. Personnel. Cimento AI, Inc. restricts its personnel from processing Client Data without authorization by Cimento AI, Inc.. Cimento AI, Inc. shall impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

6.    Security of Data Processing. Cimento AI, Inc. has implemented and will maintain the technical and organizational measures for the Services as described in the Information Security Standards. 

7.    Sub-processing

i.    Cimento AI, Inc. will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that violate the obligations under this DPA as if caused by Cimento AI, Inc. itself.  

8.    Data Subject Requests.  Should a data subject contact Cimento AI, Inc. with regard to correction or deletion of Client Data, Cimento AI, Inc. will direct such data subject to Client. 

9.    Security Breach Notification.

a.    Security Incident. Cimento AI, Inc. will (i) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, (ii) investigate the Security Incident; (iii) provide Client with a summary about the Security Incident, and (iv) take reasonable steps to mitigate the effects resulting from the Security Incident and enact procedures to prevent a recurrence of the Security Incident.

b.    Cimento AI, Inc. Assistance. To assist Client in relation to any personal data breach notifications Client is required to make under the Applicable Data Protection Laws, Cimento AI, Inc. will include in the notification under section 9.1(a) such information about the Security Incident as Cimento AI, Inc. is reasonably able to disclose to Client, taking into account the nature of the Services, the information available to Cimento AI, Inc., and any restrictions on disclosing the information, such as confidentiality. Cimento AI, Inc.’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Cimento AI, Inc. of any fault or liability of Cimento AI, Inc. with respect to the Security Incident.

c.    Client Obligations. Where a controller-to-controller relationship exists between Cimento AI, Inc. and Client, Client shall notify Cimento AI, Inc. without undue delay in the event a personal data breach, as defined in the GDPR, occurs that requires Client to notify the competent supervisory authority or other regulator and/or the impacted data subjects.

10.    Cimento AI, Inc. Certifications and Audit Right.

a.    Cimento AI, Inc. Audits. Cimento AI, Inc. uses external auditors to verify the technical, organizational and security measures. This audit: (a) will be performed at least annually; (b) will be performed according to the ISO27001 standard or such other alternative standards that are substantially equivalent to ISO27001; (c) will be performed by independent third-party security professionals at Cimento AI, Inc.’s selection and expense; and (d) will result in the generation of an audit report (the “Report”), which will be Cimento AI, Inc.’s Confidential Information.

b.    Audit Reports. At Client’s written request, Cimento AI, Inc. will provide Client with a copy of the Report so that Client can reasonably verify Cimento AI, Inc.’s compliance with its obligations under this DPA.

c.    Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to Cimento AI, Inc., Cimento AI, Inc. will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information Cimento AI, Inc. makes available under this Section.

d.    Client Audit. After Client has exercised its rights under paragraph (a) above, if Client requires further information Client will have the right to, at its own cost and subject to Client’s payment of Cimento AI, Inc.’s fees in relation to such audit at its standard professional services rates prevailing at the time, require that Cimento AI, Inc. (or its independent third-party auditors) carry out a bespoke audit in relation to Cimento AI, Inc.’s compliance with this DPA. Upon receipt of such request, Cimento AI, Inc. will carry out (or arrange) such audit within such reasonable period as Client and Cimento AI, Inc. may agree and will provide a copy of the audit report to Client promptly following conclusion of the audit.

11.    Limitation of Liability.  Each party’s liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement. In no event shall either party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

13.    Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).

14.    Return or Deletion of Client Data. Up to the Termination Date, Client will continue to have the ability to retrieve or delete Client Data in accordance with this Section. Cimento AI, Inc. will delete Client Data when requested by Client and promptly following the Termination Date. Cimento AI, Inc. will have no obligation to maintain Customer Data after the Termination Date, and may thereafter delete or destroy all copies of Client Data maintained by Cimento AI, Inc.. 

15.    Duties to Inform. Where Client Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Cimento AI, Inc., Cimento AI, Inc. will inform the Client without undue delay. Cimento AI, Inc. will, without undue delay, notify all relevant parties in such action (e.g., creditors, bankruptcy trustee) that any Client Data subjected to those proceedings is Client’s property and area of responsibility and that Client Data is at Client’s sole disposition.

16.    Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties, including the Agreement, and this DPA, the terms of this DPA will control. If there is a conflict between the Standard Contractual Clauses and this DPA, the terms of the Standard Contractual Clauses, as applicable, shall prevail.