Data Processing Schedule – USA Customers

1. Definitions

1.1 “Agreement”: the contract between Psychology Tools and Customer for the provision of the Services, which may be a bespoke Service Agreement or a contract incorporating Psychology Tools’ standard Terms and Conditions.

1.2 “Applicable Privacy Laws” means all federal, provincial and foreign laws and regulations relating to the processing, protection or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction applicable to each party. This includes, but is not limited to, the European Union General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and the United Kingdom General Data Protection Regulation and amended Data Protection Act 2018 (collectively, the “GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”)(as amended by the California Privacy Rights Act of 2020 (“CPRA”)), United States data breach notification laws, and all other emerging privacy regulations in the United States and all jurisdictions implicated by the Services.

1.3 “Customer”: the customer to whom Psychology Tools provides Services under the Agreement.

1.4 “Data Breach” means any act or omission that compromises the security, confidentiality or integrity of Personal Information in the custody or control of Psychology Tools or the physical, technical, administrative or organizational safeguards put in place to protect Personal Information.

1.5 “DPA” has the meaning set forth in Section 2.1.

1.6 “Personal Information” means information about an identifiable individual or that may identify an individual and includes all such information obtained by Psychology Tools from the Customer or its users that Psychology Tools may access, collect, use, disclose, transfer, process or store pursuant to the Agreement and as further specified in Section 7.

1.7 “Processing, processes, or process” means any operation which is performed upon Personal Information, whether or not by automatic means, including but not limited to the access, acquisition, collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, combination, transfer, blocking, return or destruction of Personal Information.

1.8 “Psychology Tools”: Psychology Tools Limited, a company registered in England and Wales under company number 10810854 with its registered office at Reading Bridge House, Fourth Floor, Suite 3, George Street, Reading, England, RG1 8LS.

1.9 “Services”: the services to be provided by Psychology Tools to the Customer as described in the Agreement.

2. General: Data Protection

2.1 This Data Processing Addendum (“DPA”) is subject to the terms of the Agreement and is incorporated into the Agreement.

2.2 Both parties will comply with all applicable requirements of the Applicable Privacy Laws. This Section 2 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Applicable Privacy Laws.

2.3 The Customer and Psychology Tools acknowledge and agree:

(a) the Customer retains control of the Personal Information and remains responsible for its compliance obligations under the Applicable Privacy Laws, providing any required notices and obtaining any required consents, and for the processing instructions it gives to Psychology Tools;

(b) the Customer remains responsible for the written processing instructions it gives to Psychology Tools; and

(c) Section 7 describes the general Personal Information categories and types of individuals that Psychology Tools may process to fulfil its obligations under the Agreement. Customer discloses Personal Information to Psychology Tools only for the limited purpose of fulfilling its obligations under the Agreement.

3. Processor’s Obligations

3.1 Psychology Tools will process the Personal Information to fulfil its valid legal obligations under this DPA and the Agreement and only in accordance with the written instructions of the Customer unless Psychology Tools is required by Applicable Privacy Laws to otherwise process that Personal Information. Psychology Tools will notify Customer if, in its opinion, the Customer’s instructions do not comply with Applicable Privacy Laws. Processor shall not:

(a) Sell or Share Personal Information (as defined under CCPA/CPRA);

(b) Combine Personal Information with data received from other sources, except as permitted by law; or

(c) Retain, use, or disclose Personal Information for any purpose other than in accordance with the written instructions of the Customer.

3.2 Psychology Tools will implement reasonable administrative, technical, and physical safeguards appropriate to the nature of the Personal Data.

3.3 Psychology Tools will ensure that all personnel who have access to and/or process Personal Information are obliged to maintain the confidentiality of the Personal Information and will not disclose the Personal Information to third parties unless the Customer authorizes the disclosure in writing, or as required by Applicable Privacy Laws, court or regulator.

3.4 Psychology Tools will reasonably assist the Customer, at the Customer’s cost, in responding to any request from individuals or applicable data protection authorities relating to the processing of Personal Information under the Agreement. In the event that any such request is made directly to Psychology Tools, Psychology Tools will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so. If Psychology Tools is required to respond to such a request, Psychology Tools will notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

3.5 If a law enforcement agency sends Psychology Tools a demand for Personal Information (for example, through a subpoena or court order), Psychology Tools will endeavour to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Psychology Tools may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Information to a law enforcement agency, then Psychology Tools will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Psychology Tools is legally prohibited from doing so.

3.6 Psychology Tools will comply with any Customer request or instruction requiring Psychology Tools to amend, transfer or delete the Personal Information, or to stop, mitigate or remedy any unauthorized processing. Psychology Tools will maintain the confidentiality of all Personal Information and will not disclose the Personal Information to third parties unless the Customer, this DPA or this Agreement specifically authorizes the disclosure in compliance with Applicable Privacy Laws, or as otherwise required by law.

3.7 Psychology Tools will limit Personal Information access to: (a) those employees who require Personal Information access to meet Psychology Tools’ obligations under this Agreement; and (b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

3.8 Psychology Tools will notify the Customer in the event that Psychology Tools becomes aware of a Data Breach and take steps to contain the Data Breach and recover the Personal Information lost, if any. Psychology Tools will investigate all Data Breaches and report the results of the investigation to the Customer as soon as feasible after Psychology Tools has determined the breach has occurred.

3.9 Psychology Tools will also comply with all mandatory data breach requirements contained in the Applicable Privacy Laws where legally required to do so.

3.10 Nothing in this Agreement prevents Psychology Tools from retaining Personal Information as it is required to retain in order for it to comply with any applicable legal, regulatory or professional requirements. Psychology Tools agrees that it will at all times ensure the security of any Personal Information retained to comply with such requirements, in accordance with this Agreement.

4. Security

4.1 Psychology Tools will ensure that it has in place appropriate technical and organizational measures to protect Personal Information from Data Breaches and preserve the security and confidentiality of the Personal Information, in accordance with industry security standards and appropriate to the sensitivity of the Personal Information. Psychology Tools reserves the right, in its sole discretion, to change or modify its security practices at any time, so long as such changes or modifications do not lessen such protections and at all times during the Agreement, maintains adequate data security.

5. Cross-Border Transfers of Personal Data

5.1 Customer acknowledges and agrees that Psychology Tools may use third-party processors to process the Personal Information outside of the United States, for example in England, as further specified in Section 6 and on Psychology Tools’ Subprocessors page. The parties acknowledge that, under current U.S. privacy laws, Cross-Border Transfers are permitted provided contractual and operational safeguards are maintained. Psychology Tools will not otherwise transfer any Personal Information to any jurisdiction outside of the United States unless prior written consent of the Customer has been obtained and the following conditions are fulfilled:

(a) the Customer or Psychology Tools has provided appropriate safeguards in relation to the transfer;

(b) the individual to which the Personal Information relates has enforceable rights and effective legal remedies;

(c) Psychology Tools complies with its obligations under the Applicable Privacy Laws by providing an adequate level of protection to any Personal Information that is transferred; and

(d) Psychology Tools complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Information.

6. Subprocessors

6.1 The Customer consents to Psychology Tools appointing the subprocessors listed on Psychology Tools Subprocessors page at https://www.psychologytools.com/subprocessors as third-party processors of Personal Information under this Section 6.

6.2 Psychology Tools will maintain an up-to-date list of its subprocessors on that Subprocessors page.

6.3 Psychology Tools may update its list of subprocessors from time to time.

6.4 Psychology Tools confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on (i) the third party's standard terms of business or (ii) bespoke terms which in either case reflect and will continue to reflect the requirements of the Applicable Privacy Law.

6.5 As between the Customer and Psychology Tools, Psychology Tools shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this Section 6.

7. Details of the Processing

CategoryDetails
ScopePsychology Tools is the processor of the Personal Information in accordance with the Services it provides under the Agreement.
Nature and purpose of processingCustomer will be able to grant its users access to Psychology Tools’ Platform so that they may access and use Psychology Tools’ resources. This will involve users inputting Personal Information into the Platform which Psychology Tools will process to assist the Customer to provide services to its users.

Psychology Tools will collect payment data in the first instance to facilitate payment of services, which is enacted by our payment processor.
Duration of the processingThe term of the Agreement or such longer term as may otherwise be agreed by the parties.
Types of Personal InformationIdentity Data – includes name.
Contact Data – includes email address.
Payment Data – includes payment card details.
Technical Data – includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices used to access the Platform.
Profile Data – includes username and password.
Usage Data – includes information about how users interact with and use the Platform and the Resources.
Special Category Data – namely data relating to physical and mental health which, along with other Personal Data, may be inputted into the Platform in the course of using the Resources.
Categories of individuals that Psychology Tools will process Personal Information of on behalf of CustomerThe Customer, the Customer’s employees where applicable, and the Customer’s users, including patients. On occasion data subjects may also include the Customer’s supervisees and students, and family members/carers of the Customer’s patients.