Context

The performance of the services provided for in the Services and Licensing Contract implies that EDUKA SOFTWARE accesses Personal Data and carries out one or more processing operations on it.

In the context of their contractual relationship, EDUKA SOFTWARE and the Customer mutually undertake to comply with the regulations in force applicable to the processing of personal data, and in particular with the Data Protection Act.es and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the European Council of 27/04/20116 coming into force on 25/06/2018, hereinafter referred to as the "European General Data Protection Regulation (GDPR)".

Each customer (school) acts in its capacity as Data Controller and retains full control, while EDUKA SOFTWARE acts as processor within the meaning of the applicable Data Protection Law.

Definitions

In this article, capitalized terms and expressions have the meanings indicated below, whether used in the singular or plural:

• Supervisory Authority : means the independent public authority responsible for overseeing the application of the Law applicable to data protection, in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free flow of data within the European Union. In France, for example, the supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).
• Personal data: means any information relating to an identified or identifiable natural person (hereinafter referred to as the "Data Subject"), directly or indirectly, in particular by reference to an identifier, such asname, identification number, location data, online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
• Applicable Data Protection Law: means the legislation protecting the fundamental rights and freedoms of individuals, in particular the right to privacy with regard to the processing of Personal Data, and applicable to EDUKA SOFTWARE. Applicable data protection law includes Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.enen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation des donnéeses entering into force on May 25, 2018, and any other French or European texts relating to the protection of Personal Data that may supplement or amend them.
• Subsequent Subcontractor: means any subcontractor engaged by the Service Provider or any subsequent Subcontractor thereof, who agrees to receive from EDUKA SOFTWARE or any subsequent Subcontractor thereof Personal Data exclusively intended for processing activities to be carried out on behalf of Eduka Software, in accordance with Eduka Software's instructions and after having been authorized by Eduka Software, under the conditions set forth in this article. Any company belonging to the Provider's Group, which may be involved in the performance of the services and process or access the Personal Data, is also considered a Subsequent Subcontractor.
• Processing of Personal Data or Processing: means any operation or set of operations, described in this Appendix, whether or not carried out using automated processes and applied to data or sets of Personal Data, such as the collection, recording, organization, structuring and processing of Personal Data.collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Transfer of Personal Data or Transfer: means any action of sending, communicating, copying, transmitting, disseminating or remotely accessing Personal Data, regardless of the medium or means of communication used.
• Data Breach: means a breach of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of Personal Data transmitted, stored or transmitted by any means.ee of Personal Data transmitted, stored or otherwise processed, or unauthorized access to such data.

Eduka Software's commitment

EDUKA SOFTWARE undertakes to comply with all legal obligations imposed on it by the applicable Data Protection Law and to process the Personal Data entrusted to it by the Customer in accordance with the provisions of the Services and Licensing Contract. The Customer has selected EDUKA SOFTWARE on the basis of its commitment to implementing appropriate technical and organizational measures in order to comply with the requirements of the applicable Data Protection Law and to guarantee the protection of the rights of Data Subjects.

Processing characteristics

The Customer authorizes EDUKA SOFTWARE, for the duration and for the sole purpose of the Services and Licensing Contract, to Process the Personal Data required for the services covered by the Contract. The characteristics of this Processing entrusted to EDUKA SOFTWARE are defined in Appendix E - RGPD appended to the Services and Licensing Contract.

In this context, EDUKA SOFTWARE undertakes to process the Personal Data exclusively on the basis of the Customer's instructions and refrains from using all or part of the Personal Data for its own account and for purposes other than those defined by the Customer.

EDUKA SOFTWARE undertakes to keep a written (including electronic) record of the categories of processing activities carried out on behalf of the Customer.

EDUKA SOFTWARE undertakes to provide a register in written form (including electronic form) of all processing activities carried out on behalf of the Customer containing :

• the name and contact details of EDUKA SOFTWARE and the Customer, and where applicable their representatives, as well as their respective DPO (Data Protection Officer),
• the categories of processing carried out on behalf of the Customer,
• the name and contact details of any subsequent subcontractors,
• data transfers outside the European Union, where applicable,
• a general description of the technical and organizational measures implemented.

EDUKA SOFTWARE shall make the register available to the Supervisory Authority upon request, and shall immediately inform the Customer of such availability.

It is specified that EDUKA SOFTWARE will not transmit the register to the Customer except in the case of controls carried out by the Control Authority and at the latter's express request.

Security and confidentiality of personal data

EDUKA SOFTWARE undertakes to implement the physical, logical and organizational safeguards necessary to preserve the security of Personal Data, adapted to the security risk to which the Customer is exposed.eDUKA SOFTWARE undertakes to implement the physical, logical and organizational safeguards necessary to protect the security of Personal Data, adapted to the information security risk presented by the Processing and, in particular, to prevent it from being accidentally or unlawfully destroyed, lost, distorted, damaged or accessed by unauthorized third parties.

In the present case, EDUKA SOFTWARE undertakes at least to implement the following technical and organizational measures and to ensure that they are respected by its employees and any subsequent Subcontractors:

• ensure that the persons authorized to process the schools' Personal Data in the context of the services undertake to respect confidentiality or are subject to an appropriate contractual obligation of confidentiality,
• ensure that those involved in the performance of the services covered by the Services and Licensing Contract are made aware of, trained in and organized to provide sufficient guarantees of security and confidentiality with regard to Personal Data,
• take all measures to prevent any misappropriation or fraudulent use of the Data, documents and information processed, and in particular to : management of access rights, event logging, secure exchange and storage of Personal Data, backup of datameans of guaranteeing the confidentiality, integrity, availability and constant resilience of digital systems and infrastructures, and means of restoring the confidentiality, integrity, availability and constant resilience of digital systems and infrastructures.means for restoring availability and access to Data within an appropriate timeframe in the event of a physical or technical incident.a procedure for regularly testing, analyzing and evaluating the effectiveness of the technical and organizational measures in place,
• ensure that the technical and organizational measures put in place to protect the Data Controller's Personal Data are maintained and upgraded in an appropriate manner, particularly in light of changes in the environment.this is to be achieved by maintaining and upgrading the technical and organizational measures in place to protect the Data Controller's Personal Data in an appropriate manner, in particular in line with changes in the state of the art, and by implementing regular tests and controls.

Violation of Personal Data

Without prejudice to the provisions of the Contract relating to the reporting of security incidents, EDUKA SOFTWARE shall notify the Customer of any violation of Personal Data as soon aseDUKA SOFTWARE will notify the Customer of any breach of Personal Data as soon as it becomes aware of it, by e-mail, unless the breach involves Personal Health Data, in which case notification will be made using a secure messaging system.

EDUKA SOFTWARE will provide the Customer with the following information as soon as possible after notification of the breach of security of Personal Data:

• the nature of the breach,
• the categories and approximate number of persons affected by the breach,
• the categories and approximate number of Personal Data records concerned,
• a description of the likely consequences of the personal data breach,
• a description of the measures taken or proposed to be taken by EDUKA SOFTWARE to remedy the personal data breach, including, where appropriate, measures to mitigate any negative consequences.

EDUKA SOFTWARE undertakes to cooperate to enable the Customer to notify the data breach to the competent Supervisory Authority.

Subsequent subcontractors

The Customer authorizes EDUKA SOFTWARE, in a general way, to involve other service providers (hereinafter referred to as Subcontractors) in order to carry out data processing activities.) to carry out specific processing activities such as hosting, maintenance, support, assistance, training, application testing, etc.

In the event of a change or proposal for a new subcontractor, the Customer has a period of fifteen (15) days from the date of receipt of this information to present its objections, in accordance with public procurement regulations, or failing this, fifteen (15) days for other types of contract.

Subsequent subcontractors are required to fulfill their contractual obligations with EDUKA SOFTWARE on behalf of and in accordance with the instructions of the Customer. EDUKA SOFTWARE ensures that each subsequent subcontractor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the Regulations. Finally, it is specified that when the subsequent subcontractor provides the agreed service with the Customer's consent outside the EU/EEA, EDUKA SOFTWARE ensures the lawfulness in terms of data protection in accordance with the RGPD provisions.

Exercise of personal rights

Insofar as possible, EDUKA SOFTWARE shall assist the Customer in fulfilling its obligation to comply with requests to exercise the rights of the persons concerned: right of access, rectification, erasure and opposition, right to limitation of processing, right to portability of Personal Data, right not to be the subject of an automated individual decision (including profiling). In such a case, any request from the Customer arising from a complaint from a person whose Personal Data has been collected, must be notified to EDUKA SOFTWARE via the following email address: [dpo@edukasoftware.com]. The Customer acknowledges and accepts that no exchange concerning the management of requests to exercise the rights of persons concerned with regard to Personal Data relating to their health may take place by email.

When a person exercises his/her rights directly with EDUKA SOFTWARE, the latter undertakes, upon receipt of this request, to send it to the Customer by email at the address communicated by the latter.

The Customer will ensure, as soon as possible, the implementation of the actions corresponding to the request of the person concerned. it being specified that, in its capacity as Data Controller, the Customer remains responsible for the response to be given to the natural persons concerned, and the Service Provider undertakes not to respond to such requests.

EDUKA SOFTWARE draws the Customer's attention to the fact that it is the Customer's responsibility to keep an up-to-date written (including electronic) register of requests for access, rectification and opposition, containing the various dates and descriptions of exchanges with the persons concerned.

Information and audit

EDUKA SOFTWARE undertakes:

• to make available to the Customer all strictly necessary information in its possession to demonstrate compliance with the obligations set out in the applicable Data Protection Law.
• to inform the Customer immediately if, in its opinion, an instruction constitutes a violation of the applicable data protection law.

Description of the processing subject to subcontracting

Subcontracting category

According to the selected offer :

• Eduka Suite modular software suite with data hosting service (SaaS mode) on one of EDUKA SOFTWARE's digital infrastructures: with or without unlimited operational support,
• Eduka Suite modular software suite without SaaS mode: with or without unlimited operational support.

Contact

Name and contact details of EDUKA SOFTWARE's RGPD representative: EDUKA SOFTWARE's DPO, [dpo@edukasoftware.com]

Description of personal data processing

Purposes: object of the processing operation(s)

The nature of the operations carried out on Personal Data, the purpose(s) of the processing, the Personal Data processed, the categories of persons concerned and the duration of the processing are described in the contractual documents and, in addition, in the technical documents sent to the Customer.the nature of the operations carried out on Personal Data, the purpose(s) of the processing, the Personal Data processed, the categories of persons concerned and the duration of the processing are described in the contractual documents and, in addition, in the technical documents sent to the Customer, which include the Customer's instructions.

Generally speaking, the purpose(s) of processing are :

• Provision of software dedicated to the administrative, pedagogical and financial management of school pupils,
• Regular backup of databases and documents,
• Support for the use of the software: for the execution of support services, the customer may make the database of its web application available to support on a one-off basis under a rental contract.

Nature of operations performed on data

Operations	Check	Comments / details
Collection	✅	- Information from students and their legal guardians concerning the administrative, educational and financial management of their schooling. - Information from school staff.
Registration	✅	Recording of all data.
Organization / filing / structuring	✅	Classification of data
Storage	✅	Data storage in a non-proprietary MySQL/MariaDB database.
Adaptation or modification	✅	Any software data according to profiles and rights.
Extraction	✅	- output of skills assessments and school reports - issue school certificates or exeats - invoice output - Data extraction as object lists
Export	✅	- Data export via API to partners at the discretion of the person in charge of processing (access control system, canteen management software, school life software, etc.), - Data export to the LSU (Livret Scolaire Unique) of the French Ministry of Education (MEN)
Consultation	✅	- Software: online consultation of timetables by students, their legal guardians and school staff, consultation of family accounts, consultation of results obtained by students and their legal guardians - Client support: data consultation only
Use	✅	All software data according to profiles and rights within the scope of the purposes.
Communication by transmission	✅	Transmission of the following data with approval: - LSU to French MEN - To partner applications (Pronote, Pronote Primaire, Alise, Turboself), at the choice of the data controller - At the choice of the data controller to third-party systems using Eduka's REST APIs (controlled and traceable access)
Distribution or any other form of made available	✅	- Data made available to data subjects at the https address of the Customer's dedicated web application (eg: https://xxx.eduka.school)
Interconnection	✅	- Authentication delegated to a CAS 2.0 server - Integration of high value-added digital services for : o school catering o school life o accounting o electronic signature o online payment o direct debit o electronic invoicing
Deletion or destruction	✅	In compliance with legal requirements for data retention (particularly schooling and billing data) from the Data archiving menu (Eduka Configuration Module).
Input	✅	Any software data, e.g. : - Student and guardian information for enrolment, re-enrolment and cancellation, - Pedagogical information (skills, report cards) and school life information (timetables, absences) - Family financial information (scholarships, RIB, fraternities, etc.) - Sick bay management (Sick bay module subject to additional quote).
Control	✅	All software data controlled by the data controller and staff with an Administrative profile.
Archiving		Structured, machine-readable exports of archive files (.zip) to be stored in a third-party file system external to the school's Eduka platform - at the choice of the data controller - to help it meet its legal data retention obligations.
Other

Personal data processed in Eduka

The Personal Data considered to be used in the basic configuration of the Eduka suite include the following information that the Customer may be required to process via the platform:

Data category	Check	Description of data processed in the application
civil status, identity, identification data, images	✅	students : age (read only), Civility, Code commune de naissance (INSEE), Code compte (read only), Code identifiant (read only), Commune de naissance, Date de naissance, Date expiration passeport, Date expiration visa, Langue(s) maternelle(s), Langue(s) parlée(s), Nationalité(s), Name, Full name (read only), Passport(s) or ID card no., Visa no., Country of birth, Photo (read only), Prename(s), Sex, City of birth, Address (Zip code, Country, Street/Number/Residence/Building, City), E-mail address, Mobile phone number. Legal guardians : age (read only), Account code (read only), ID code (read only), Passport expiry date, Visa expiry date, Date of birth, Tax ID, Language(s) spoken, Nationality(s), Name, Full name (read only), Passport(s) or ID card no., Visa(s) no., Photo (read only), First name, Gender, Elected school board member status. Families: Account code (read only), Full name (read only). Other contacts (in case of emergency, person authorized to pick up child at exit or external): Title, Last name, First name(s), Telephone number(s). Employees : Age (read only), Account code (read only), ID code (read only), Date of birth, Tax ID, Last name, Full name (read only), Photo (read only), First name, Gender, Type (read only). Payers : Account code (read only), ID code (read only), Tax ID, Last name, Full name (read only), First name, Gender.
Personal data	✅	students : Transportation (Start date, End date, enrollment), Means of transportation planned, Pedagogy (Family/social situation). Legal guardians: Relationship to child, Family status, Legal status / Residence permit, Title (title), Address (Zip code, Country, Street/Number/Residence/Building, City, INSEE Commune code), E-mail address, Secondary e-mail address, Telephone (home/Mobile/Professional/Contact in priority). Families : Billing addresses, Secondary e-mail addresses, Family communication language Personal : Address: Postcode, Address (Country, Street/Number/Residence/Building, City), E-mail address, Secondary e-mail addresses, Fax, Telephone Payers : Address (Street/Number/Residence/Building, City), E-mail address, Billing addresses, Secondary e-mail addresses, Fax, Telephone.
School and/or working life	✅	students : Permission to leave school, Other language, Badge code, Arrival date, Expected departure date, Expected date of schooling, Mother tongue(s), Spoken language(s)e(s), Proficiency in French (mother tongue, Read, Spoken, Written), Level of English (mother tongue, Read, Spoken, Written), Number of sequences badgecrit), badge sequence number, Identifiant National de l'Elève (INE), photos (distribution authorized), Canteen diet, Canteen regime cantine demandé, Régime restauration (Lundi, Mardi, Mercredi, Jeudi, Vendredi), Statut Elève (SIECLE), Structure (lecture seule), Structure (second voeu),Former students (Year of promotion, Country of residence, Current profession), Destination (Future address, Future school, Future country, Future school city, Future city), Enrolment (Date of complete application), Reason for leaving, Home (Academy, School address, Previous class, Academy code, Last name of school, Last name of school, Last name of school).code, Last months/years of schooling, Original school, Approved school, UAI No., Name of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school, Country of school.(Name of school, Country of school, Type of school, City of school), Pedagogy (Pedagogical advice, Linguistic situation). Legal guardians : Socio-professional category (CSP), Employer's e-mail address, Employer (Zip code, Name, Country, Street, City), Profession, Professional status, Employer's telephone number. Personnel : Years of seniority, Start date, End date of contract, Signature.
Economic and financial information	✅	Families: Payment terms, Payment method, Advances and reimbursements, Billing addresses, Scholarship application, Dunning category. Companies: Company name, Company contact, Company contact phone no., Company address. Payers : Invoices, Transactions, Other payments, Details of invoiced charges, Unpaid, Payment schedules, Charges and deductions, Changes and status, Outstanding, Invoiced, Breakdown, Advance.
Bank details	✅	Payers : Direct debit or repayment bank account: Bank name, SWIFT/BIC code, SEPA direct debit mandate number, Account holder name, Accounting account no., RIB/IBAN, Simplified online payment PIN code.
Health data	✅	students: Allergies (type and details), Hospitalization authorization, Medication administration authorization, Other confidential health information, Health check(s) performed for schooling, EBEP (Device, previous eprevious school), Chronic illness (asthma or other), Attending physician (Name, Telephone), Medications, Special diet, Dietary restrictions, Vaccinations (Last vaccination dates, vaccination record).
Login data	✅	IP addresses, first and last name, terminal identifier, timestamp of requests made, type of requests made.
Location data
Data revealing racial or ethnic origin
Data revealing political opinions
Data revealing religious or philosophical beliefs
Data revealing trade union membership
Genetic data
Biometric data for the purpose of uniquely identifying a natural person
Social security number
Data concerning sex life or sexual orientation
Data relating to criminal convictions or offences
Other data

Categories of persons concerned

• Administrative and management staff, teachers and service providers
• school students
• Legal guardians of school students
• Payers
• Other contacts

Data transfer outside the EU

Personal Data may be transferred to EDUKA SOFTWARE legal entities, its partners, as well as to some subcontractors located outside the EU, the European Economic Area, or countries recognized as having an adequate level of security by the European Commission.to certain subcontractors located outside the EU, the European Economic Area, or countries recognized as having an adequate level of security by the European Commission.in this case, EDUKA SOFTWARE takes the necessary guarantees and implements the appropriate tools to supervise these transfers pursuant to Article 46 of the RGPD in order to protect the Personal Data of the persons concerned.