1. This Data Processing Addendum (“DPA”) forms part of the Loora for Organizations Terms (“B2B-Terms”) between Loora A.I Ltd. (“Loora”) and the Partner, as defined under the B2B-Terms.

  2. In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the B2B-Terms. Except as modified below, the terms of the B2B-Terms shall remain in full force and effect. Capitalized terms used but not defined herein shall have the meaning ascribed to them in the B2B-Terms.

  3. Under the B2B-Terms, the nature and purposes of processing Partner Personal Data by Loora as data processor shall be limited to those set forth in Schedule 1.

  4. The Parties hereby acknowledge that Loora is also a controller of certain personal data related to the Partner and Permitted User, as defined in the B2B-Terms. Such personal data, processed by Loora as a controller, is governed by Loora’s Privacy Policy, and is not subject to this DPA.

  5. Definitions 5.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly: 5.1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Partner Personal Data for which any Partner is subject to EU Data Protection Laws; (b) the California Consumer Privacy Act of 2018 (“CCPA”) with respect to any Partner Personal Data for which any Partner is subject to the CCPA; and (c) any other applicable law with respect to any Partner Personal Data for which any Partner is subject to any other Data Protection Laws; 5.1.2 “Partner Personal Data” means any Personal Data Processed by Loora as a processor on behalf of the Partner pursuant to or in connection with the B2B-Terms. This term does not include any personal data that Loora processes as a controller, according to the B2B-Terms. 5.1.3 “Data Protection Laws” means EU Data Protection Laws, the CCPA and, to the extent applicable, the data protection or privacy laws of any other country; 5.1.4 “EEA” means the European Economic Area; 5.1.5 “EU Data Protection Laws” means the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and laws implementing or supplementing the GDPR; 5.1.6 “Restricted Transfer” means: 5.1.6.1 a transfer of Partner Personal Data from any Partner to Loora; or 5.1.6.2 an onward transfer of Partner Personal Data from Loora to a Sub-processor, or between two establishments of Loora, in each case where such transfer would be restricted by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws); 5.1.7 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Loora for Partner pursuant to the B2B-Terms; 5.1.8 “Standard Contractual Clauses” means the standard contractual clauses adopted by the European Commission, as set out in Schedule 2, amended as indicated in that Schedule; 5.1.9 “Sub-processor” means any person (including any third party and any Loora affiliate, but excluding an employee of Loora or any of its sub-contractors) appointed by or on behalf of Loora to Process Personal Data on behalf of the Partner in connection with the B2B-Terms; and 5.1.10 “Loora” means Loora A.I Ltd. and any entity that owns or controls, is owned or controlled by, or is or under common control or ownership with Loora. Control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise. 5.1.11 “Party”/“Parties” means the Partner and Loora separately, or jointly, as the case may be; 5.1.12 “Purpose” means as described in Schedule 1; and 5.1.13 “Supervisory Authority” means any court, regulatory agency or authority which, according to Applicable Laws and/or regulations, supervises privacy issues and/or the processing of personal data. 5.2 The terms, “commission”, “controller”, “data subject”, “member state”, "service provider", "business", "customer", "business purpose", “personal data” or "personal information", “personal data breach”, “processing”, “processor”, "sale" and “supervisory authority” shall have the same meaning as in the GDPR or in the CCPA, as applicable, and their cognate terms shall be construed accordingly. In addition, each of the terms defined in this section 4.2 shall have the meaning of its equivalent in the GDPR or in the CCPA, as applicable.

  6. Special undertakings of the Parties 6.1 Roles, ownership of personal data, processing and purpose 6.1.1 The Partner shall be considered, in the context of the CCPA as the business, and in the context of the GDPR as the controller of the personal data processed on its behalf and in accordance with its instructions, which concerns its respective data subjects, or customer, as applicable. Loora shall be considered, in the context of the CCPA as the service provider and in the context of the GDPR, as a processor of the personal data processed on behalf of the Partner. 6.1.2 Loora may only process the Partner Personal Data for the Purpose and to the extent it is necessary for the fulfilment of Loora’s obligations under this DPA or the B2B-Terms. 6.1.3 Loora is prohibited from: (i) Selling Partner personal data; and (ii) retaining, using, or disclosing Partner personal data outside of the direct business relationship between Loora and Partner. 6.1.4 This DPA shall apply to the actions of any of Loora or Partner’s affiliates performing tasks and obligations in the context of this DPA and any such affiliates shall have all rights and obligations set forth in this DPA as if they were Loora or Partner, as applicable. 6.2 Special undertakings of the Partner 6.2.1 The Partner undertakes to: (a) Ensure that there is a legal ground for processing the personal data covered by this DPA; (b) Obtain explicit consent from the data subjects for processing the personal data covered by this DPA and related to their performances within the Service, including English assessment test results. (c) Ensure that any disclosure or transfer of Partner Personal Data to Loora confirms to the Applicable Laws. (d) Inform Loora about any erroneous, rectified, updated or deleted personal data subject to Loora’s processing; (e) Fully comply with any request of data subjects and with any data subject rights under Applicable Laws; (f) Provide Loora with documented instructions regarding Loora’s processing of the personal data, as may be required from time to time; (g) Ensure that, to the extent it collects by itself the Personal Data processed by Loora under this DPA, or otherwise makes available such Personal Data to Loora, (i) it collects, obtains and processes personal data lawfully, without violating any third parties' rights, contractual obligations or Data Protection Laws; (ii) it has all rights, consents, authorization and title to grant the rights and permissions to use the Personal Data under the terms of the B2B-Terms; (iii) its processing and use of the Personal Data will not violate the customers' rights and other third parties, including without limitation privacy, data protection, good-will, good name, publicity, confidentiality and intellectual property rights. (h) When the CCPA applies, ensure that only such employees that are handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA, have received appropriate training and instructions regarding the CCPA and especially sections 1798.100, 1798.105, 1798.110, 1798.115 and 1798.125 of the CCPA, and how to direct consumers to exercise their rights under such sections. 6.3 Special undertakings of Loora 6.3.1 Loora undertakes to: (a) Only process the Partner Personal Data in accordance with Applicable Laws and the Partner documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Applicable Laws; in such a case, Loora shall inform the Partner of that legal requirement before processing the personal data, unless such information is prohibited by the Applicable Laws on important grounds of public interest; (b) Taking into account the nature of the processing, implement appropriate technical and organisational measures to reasonably ensure a level of security appropriate to the risk and reasonably assist the Partner by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the obligations of the controller or the business, as applicable, to respond to requests for exercising the rights of the data subject or customer, as applicable, or with respect to data breaches in Applicable Laws; and (c) Make available to the Partner all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.

  7. Processing of Partner Personal Data 7.1 The Partner: 7.1.1 instructs Loora (and authorises Loora to instruct each Sub-processor) to: 7.1.1.1 process Partner Personal Data; and 7.1.1.2 in particular, transfer Partner Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the B2B-Terms; and 7.2 ‎Schedule 1 to this DPA sets out certain information regarding Loora’s processing of the Partner Personal Data. Partner shall immediately inform Loora of any required amendments to ‎Schedule 1 by written notice to Loora, and the Parties shall negotiate in good-faith the amendment of Schedule 1.

  8. Confidentiality Loora shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Loora who may have access to the Partner Personal Data, and to ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  9. Data Security Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Loora shall in relation to the Partner Personal Data implement appropriate technical and organizational measures to reasonably ensure a level of security appropriate to that risk.

  10. Sub-processing 10.1 Partner authorises Loora to appoint (and permit each Sub-processor appointed in accordance with this Section ‎10 to appoint) the Sub-processors listed in Schedule 3 attached hereto, in accordance with this Section ‎10 and any restrictions in the B2B-Terms. Loora shall be entitled to add and/or remove any sub-processor from Schedule 3 upon a prior written notice to Partner, provided that the Partner does not refuse the addition of any Sub-processor within seven (7) days thereafter. If Partner refuses the addition of any Sub-processor to Schedule 3, Loora shall be entitled to immediately terminate this DPA and the B2B-Terms. 10.2 With respect to each Sub-processor, Loora shall: 10.2.1 ensure that the arrangement between Loora, and the Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Partner Personal Data as those set out in this DPA; and 10.2.2 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Loora and the Sub-processor. 10.3 Loora shall ensure that each Sub-processor performs the obligations under this DPA, as they apply to processing of Partner Personal Data carried out by that Sub-processor, as if it were party to this DPA in place of Loora.

  11. Data subject rights 11.1 Loora shall: 11.1.1 promptly notify Partner if Loora receives a request from a data subject or a customer, as applicable, under any Data Protection Law in respect of Partner Personal Data; and 11.1.2 ensure that Loora does not respond to that request except on the documented instructions of Partner or as required by Applicable Laws to which Loora is subject. 11.2 Where Partner is required to delete Personal Data about a data subject or customer, as applicable, it will direct Loora accordingly and Loora undertakes to delete such Personal Data from its records.

  12. Personal Data Breach 12.1 Loora shall notify Partner without any delay but no later than within 48 hours in writing upon Loora or any Sub-processor becoming aware or has reasons to believe of a Personal Data Breach affecting Partner Personal Data, providing Partner with reasonably sufficient information to allow Partner to meet its obligations to report or inform data subjects or customers, as applicable, of the Personal Data Breach under the Data Protection Laws. 12.2 Immediately following Loora’s notification to Partner of a Personal Data Breach, the Parties shall coordinate with each other to investigate the breach. Loora agrees to reasonably cooperate with Partner, at Partner’s expense, in Partner’s handling of the matter, including, without limitation: 12.2.1 assisting with any investigation; 12.2.2 facilitating interviews with Loora’s employees and others involved in the matter; and 12.2.3 making available all reasonably necessary records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Partner. 12.3 Loora agrees to assist Partner in advising the Supervisory Authority and data subjects or customers, as applicable, about Personal Data Breach. It shall not, however, inform any third party of any Personal Data Breach without first obtaining Partner’s prior written consent, other than to inform a complainant (if any) that the matter has been forwarded to Partner, or if otherwise required under any Applicable Law. 12.4 Partner shall reimburse Loora for actual reasonable costs incurred by Loora in responding to, and mitigating damages caused by any security incident or Personal Data Breach, including all costs of notice and/or remediation.

  13. Data Protection Impact Assessment and Prior Consultation Loora shall provide reasonable assistance to Partner, at Partner’s expense, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, in each case solely in relation to Processing of Partner Personal Data by Loora and taking into account the nature of the Processing and information available to Loora.

  14. Cooperation and Coordination Upon reasonable request by Partner, Loora shall as promptly and as reasonably practicable provide Partner with a written report containing information reasonably requested by Partner relating to: (i) any security event and Personal Data Breach; or (ii) actual or reasonably suspected non-compliance with this DPA. In addition, Loora shall provide Partner with any documents reasonably requested by Partner related to the foregoing, including without limitation, any information security assessment and security control audit reports.

  15. Deletion or return of Partner Personal Data 15.1 Subject to Section ‎15.2 Loora shall promptly and in any event within fourteen (14) days of the date of termination or expiration of any Services involving the Processing of Partner Personal Data (the “End Date”), or of the date of a written notice by Partner, delete and procure the deletion of all copies of those Partner Personal Data. 15.2 Loora may retain Partner Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Loora shall ensure the confidentiality of all such Partner Personal Data and shall ensure that such Partner Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

  16. Audit rights 16.1 At the request of Partner and on its expense, but not more than once per year, Loora shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under this DPA. Partner shall treat such audit reports as Loora’s confidential information. 16.2 Partner shall have the right to perform audits, not more than once per calendar year and upon prior written notice of at least thirty (30) days to Loora, of Loora’s processing of the Partner Personal Data in order to verify Loora’s, and any Sub-processor’s, compliance with this DPA. The audit shall be confined to processing documentation prepared by Loora and logged and documented information regarding its information security measures, and in any event will not entitle Partner to conduct technological investigations on Loora’s information systems. 16.3 Partner shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Loora's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. 16.4 If any Supervisory Authority: (i) contacts Loora with respect to its systems or any processing of Partner Personal Data carried out by Loora, (ii) conducts, or gives notice of its intent to conduct, an inspection of Loora with respect to the processing of Partner Personal Data, or (iii) takes, or gives notice of its intent to take, any other regulatory action alleging improper or inadequate practices with respect to any processing of Partner Personal Data carried out by Loora, then Loora shall immediately notify the Partner and shall subsequently supply the Partner with all information pertinent thereto to the extent permissible by law. 16.5 Partner shall bear all costs for audits set out herein.

  17. Restricted Transfers 17.1 In the event that the processing activities under this DPA are considered Restricted Transfer, the Partner (as “data exporter”) and Loora, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Partner to Loora. 17.2 The parties acknowledge that the EU Data Protection Laws does not require Standard Contractual Clauses for Partner Personal Data to be processed in or transferred to a country that has been declared as an adequate country be the European Commission.

  18. General Terms 18.1 Governing law and jurisdiction 18.1.1 Without prejudice to Mediation and Jurisdiction and Governing Law sections of the Standard Contractual Clauses: 18.1.1.1 the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the B2B-Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and 18.1.1.2 this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the B2B-Terms. 18.2 Assignation of rights or obligations 18.2.1 Unless otherwise agreed in this DPA, neither Party may assign its rights or obligations under this DPA without the prior written consent of the other Party. 18.3 Notices 18.3.1 All notices to a Party under this DPA shall be in writing and sent to its address as set forth at the beginning of this DPA, or to such other address as such Party has provided the other in writing for such purpose. Notices may be sent by post, courier, fax or email. 18.3.2 Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in person or by courier, (ii) three (3) business days after the day when the notice was sent when sent by post, and (iii) on the day when the receiver has manually confirmed that it is received when sent per fax or email. 18.4 Term and termination 18.4.1 This DPA shall enter into force on the date on which Partner accepted, or the Parties otherwise agreed to, this DPA. This DPA shall remain in force until the end of Loora’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Loora may continue providing the Services (for example, until the end of the applicable billing cycle), whereupon it shall terminate automatically without further notice. 18.4.2 Without prejudice to the foregoing, each Party may terminate this DPA due to a material breach of the terms of this DPA. In such case, this DPA shall be terminated with immediate effect if the breaching Party fails to cure such breach in a satisfactory manner within fifteen (15) days after receiving written demand from the other Party. 18.4.3 Without prejudice to the foregoing, either Party may terminate this DPA by terminating the B2B-Terms, according to terms stipulated therein. 18.5 Liability and indemnification 18.5.1 Any loss suffered by a Party resulting from, arising out of or relating to a breach of this DPA shall be governed by the provisions regarding liability and limitation of liability in the B2B-Terms. 18.5.2 Partner shall indemnify and hold Loora harmless from and against all losses due to claims from third parties including government/authority fines and penalties resulting from, arising out of or relating to any breach by Partner of this DPA and the applicable Data Protection Laws.

SCHEDULE 1

DESCIPTION OF THE PROCESSING OF PERSONAL DATA

  1. THE PROJECT