Wokwi - Data Processing Addendum

This Data Processing Addendum (“Addendum”) is entered into on by and between Wokwi B.V. (“Company”) and the school, school district, school system, tutoring center or educational institution (“Institutional Customer”) who is a party under Wokwi Terms of Service (the “Terms”) with the Company, for the provision of the web simulator for embedded & IoT Systems that assists in learning and planning embedded device interactions and programming though a school environment (“Wokwi Classroom”).

WHEREAS, the Company is involved in processing certain personal data or personal information on behalf of the Institutional Customer (“Institutional Customer Personal Data”) as part of Wokwi Classroom pursuant to the Terms, and the parties wish to regulate the Company’s processing of such personal data, through this Addendum.

THEREFORE, the parties have agreed to this Addendum, consisting of these parts:

Part	Is applicable and in force?
Part One – General provisions	Always applies and in force for Wokwi Classroom.
Part Two – EU/EEA or UK GDPR DPA	Only if the Institutional Customer is subject to the UK or EU/EEA GDPR regarding the personal data that the Company processes for it when providing the Wokwi Classroom.
Part Three – State Privacy Laws in the U.S.	Only if the Institutional Customer is subject to state privacy laws in the U.S. regarding the personal data that the Company processes for it.
Part Four – Federal Privacy Laws in the U.S.	Only if the Institutional Customer is subject to federal privacy laws in the U.S. regarding the electronic student education record information that the Company processes for it.

Part 1 (General Provisions)

Scope. This Addendum and any of its Parts apply only where the Company is processing Institutional Customer Personal Data on behalf of the Institutional Customer and under the Institutional Customer’s instruction. It does not apply to (i) the Company’s processing data to operate its services (under its own Terms and Policies), such as when providing the web simulator service outside of a school environment or managing the user account outside of Wokwi Classroom (“Wokwi”), (ii) the Company’s processing of non-personal data, or (iii) the Company’s processing data to administer the business or contractual relationship between the Company and the Institutional Customer.
Order of Precedence. In the event of any conflicting provisions between this Addendum and the Terms or any other terms in place between the parties, the provisions of this Addendum prevail.
Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of the Company’s processing of Institutional Customer Personal Data, the Company will implement and maintain reasonable security procedures and practices appropriate to the nature of the Institutional Customer Personal Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
Data Subject Requests. The Company will follow Institutional Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Institutional Customer Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. The Company will pass on to Institutional Customer requests that it receives (if any) from data subjects regarding their information processors by the Company. The Company shall notify Institutional Customer of the receipt of such request without undue delay, together with the relevant details.
Return or deletion of information. Upon Institutional Customer’s written request where no subsequent further processing is required, the Company shall, at the instruction of Institutional Customer, either delete, destroy or return to Institutional Customer, some or all (however instructed) of the of the personal information that it and its third party suppliers process for Institutional Customer. Upon Institutional Customer’s request, the Company will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.
Disclosure. Unless legally prohibited, the Company will provide Institutional Customer prompt notice of any request it receives from authorities to produce or disclose Institutional Customer Personal Data it has Processed on Institutional Customer’s behalf, so that Institutional Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.
Data Breaches. The Company shall without undue delay notify Institutional Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Institutional Customer Personal Data, that it becomes aware of. The Company will investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. The Company will cooperate in good-faith with Institutional Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.
Subcontracting to suppliers. Institutional Customer authorizes the Company to subcontract any of its Wokwi Classroom-related activities consisting of the processing of the Institutional Customer Personal Data or requiring Institutional Customer Personal Data to be processed by any third party supplier without the prior written authorization of Institutional Customer provided that: (a) the Company shall ensure that the third party is bound by similar obligations under this Part 1 and Data Protection Laws, including Article 28 of the GDPR; and (b) the Company is liable to Institutional Customer for the performance of any such third party that fails to fulfil its obligations.
Details of Processing. The nature and purposes of the Processing activities, categories of data subjects whose personal data may be processed, categories of personal data Processed, frequency of the Processing, the period for which the personal data will be retained and (sub-) processors list are all specified in Appendix A of this Addendum.
Confidentiality. The Company will ensure that its staff authorized to process the Institutional Customer Personal Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum, shall be subject to the sole and exclusive jurisdiction and venue specified in the Terms.
Liability. Each party’s total and aggregate liability to the other party under this Addendum for any direct or indirect damages asserted in connection with this Addendum, whether in tort (including negligence), contract, indemnity, strict liability, or otherwise, is capped as specified in the Terms.

Part 2 (GDPR DPA)

Capitalized terms used in this Part 2 but not defined herein or in the Terms shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”.
Institutional Customer commissions, authorizes and requests that the Company Process the Institutional Customer Personal Data under the instructions of Institutional Customer. The Company will Process the Personal Data only on Institutional Customer’s behalf (it being understood that Institutional Customer may be acting as a processor for and on behalf of its Institutional Customer, the Controller). The Company and Institutional Customer are each responsible for complying with the Data Protection Law as applicable to their roles.
The Company will Process the Personal Data only on instructions from Institutional Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Wokwi Classroom. The foregoing applies unless the Company is otherwise required by law to which it is subject (and in such a case, the Company shall inform Institutional Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). The Company shall immediately inform Institutional Customer if, in the Company's opinion, an instruction is in violation of Data Protection Law.
The Company will make available to Institutional Customer and the Data Controller all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.
The Company will make available to Institutional Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Institutional Customer upon request.
The Company will follow Institutional Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it, within the boundaries of the Wokwi Classroom’s capabilities and features. The Company will pass on to Institutional Customer requests that it receives from Data Subjects regarding their Personal Data Processed by the Company. Any request from Data Subjects arising out of the processing of Personal Data by the Company, including but not limited to rectification, erasure, and blocking of Personal Data, portability requests and objection, has to be asserted to Institutional Customer. Institutional Customer is solely liable for responding to Data Subjects on such requests.
Institutional Customer authorizes the Company to engage another sub-processor for carrying out specific processing activities, provided that the Company informs Institutional Customer at least 10 business days in advance of any new or substitute sub-processor, in which case Institutional Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Institutional Customer so objects, the Company may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and the Company may either select another sub-processor in which case the above procedure shall repeat, or if it so chooses, terminate the Terms with no liability to Institutional Customer for such premature termination.
Without limiting the foregoing, in any event where the Company engages another sub-processor, the Company will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where the other sub-processor fails to fulfil its data protection obligations, the Company shall remain fully liable to Institutional Customer for the performance of that other sub-processor’s obligations.
The Company and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors or organizations recognized by an adequacy decision of the European Commission (or as applicable, the UK GDPR regulations), as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Contract Clauses).
Subject to prior coordination between the Institutional Customer and the Company as to the timing and agenda of the audit, following Institutional Customer’s written request, the Company shall allow for and contribute to audits, including carrying out inspections conducted by Institutional Customer, the Controller, or another auditor mandated by Institutional Customer or the Controller in order to establish the Company's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that the Company processes on behalf of Institutional Customer. Such audits or inspections shall be carried out during the Company’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to the Company’s business activities, and be subject to confidentiality undertakings satisfactory to the Company.
The Company will assist, within a reasonable scope of assistance, Institutional Customer and the Controller with the preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).

Part 3 (State Privacy Laws in the U.S.)

Definitions

“Applicable State Privacy Laws” means the CPRA and in other applicable state privacy laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.
“Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Covered Information, during its Processing by the Company.
“Consumer” means a natural person, including a natural person in their professional or work capacity.
“CPRA” means Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R. §7000 et seq.
“Covered Information” means information that the Company's Wokwi Classroom stores, handles, or otherwise maintains for and on behalf of Institutional Customer.
“Process” (and its cognate terms) means any operation or set of operations that are performed on Covered Information or on sets of Covered Information, whether or not by automated means.
“Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Covered Information for monetary or other valuable consideration.
"Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Covered Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged.

The Company may only Process the Covered Information to perform the Terms. The parties agree that the Institutional Customer is only disclosing the Covered Information to the Company so that the Company can provide Wokwi Classroom to the Institutional Customer. The Company is prohibited from retaining, using, or disclosing the Covered Information for any commercial purpose other than the foregoing business purposes. Additionally, the Company is prohibited from retaining, using, or disclosing the Covered Information pursuant to this Terms outside the direct business relationship between the Company and Institutional Customer.
The Company must not Sell or Share any Covered Information it Processes.
The Company shall comply with all applicable sections of the Applicable State Privacy Laws and shall provide, with respect to Covered Information, the same level of privacy protection as required by Applicable State Privacy Laws.
Commensurate with the nature of the Company’s Wokwi Classroom to Institutional Customer and in accordance with Institutional Customer’s specified instructions to the Company, the Company shall help Institutional Customer to comply with Consumer requests made pursuant to Applicable State Privacy Laws of which the Company is informed of by Institutional Customer.
The Company grants Institutional Customer the right to take reasonable and appropriate steps to ensure that the Company uses the Covered Information in a manner consistent with Institutional Customer’s obligations under this Addendum and Applicable State Privacy Laws. The Company grants Institutional Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Company’s unauthorized use of Covered Information.
The Company must promptly notify Institutional Customer when it makes a determination that it can no longer meet its obligations under this Addendum or Applicable State Privacy Laws.

Part 4 (Federal Privacy Laws in the U.S.)

Definitions.

“Covered Data and Information” (CDI) refers to any personally identifiable information and other non-public information, including student data, metadata or other electronic student education record information provided by the Institutional Customer, as well as any data supplied directly by students of the Institutional Customer to the Company. It does not include information provided outside the scope of Wokwi Classroom, such as the information used when registering to Wokwi directly or the user accounts information outside the scope of Wokwi Classroom, or CDI which was de-identified and cannot be re-identified.

The Company agrees to comply with the re-disclosure limitations of personally identifiable information from education records as set forth in the Family Educational Rights and Privacy Act (FERPA), 34 CFR § 99.33(a)(2), and with the terms stated in this Addendum. Pursuant to 34 CFR § 99.33(a)(2), any officers, employees, or agents of the Company who receive education record information from the Institution may use such information solely for the purpose for which the disclosure was made.
The Company acknowledges that, while providing Wokwi Classroom, it will have access to CDI. Any CDI held by the Company will be made available to the Institutional Customer upon request by the Institutional Customer. The Institutional Customer herby authorizes the Company to access, process and use CDI as a “school official”, in accordance with FERPA, 34 C.F.R. 99.31(a)(1)(B).
The Company agrees to treat all CDI as strictly confidential and shall not use or disclose CDI received from or on behalf of the Institutional Customer or its students, except as expressly permitted under the agreement between the Company and the Institutional Customer, as required by applicable law, for improving its services or as otherwise authorized in writing by the Institutional Customer. CDI shall be used solely for the purpose for which it was disclosed and permitted under the agreement. The Company may use de-identified data for services development, research, or other purposes. de-identified Data will have all direct and indirect personal identifiers removed. Furthermore, the Company agrees not to attempt to re-identify de-identified data and not to transfer de-identified data to any party unless that party agrees not to attempt re-identification
Upon termination, expiration, or other conclusion of the Terms, the Company shall return all CDI to the Institutional Customer or, if return is not feasible, shall securely destroy all such data. In cases of destruction, the Company shall provide the Institutional Customer with a written certification confirming the date and method of destruction.
The Company shall implement and maintain appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of all CDI that is electronically maintained or transmitted. These security obligations shall also apply to any subcontractors engaged by the Company. The Company will store and process CDI in accordance with industry practices. This includes appropriate administrative, physical, and technical safeguards to secure CDI from unauthorized access, disclosure, and use. The Company will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner.
The Company will provide a prompt notification to the Institutional Customer in the event of a security or privacy incident, and use the industry best practices for responding to a breach of CDI.
The Company shall report any unauthorized access to or disclosure of CDI to the Institutional Customer.

Appendix A – DETAILS OF PROCESSING

Categories of data subjects whose personal data is processed	Students Teachers
Categories of personal data Processed	Name and email address, profile Photo and third-party user account name, content users share or upload to Wokwi Classroom and chats and interactions in Wokwi Classroom
The frequency of the Processing	Continuous basis while Wokwi Classroom is active, and until a user deleted its account
Nature of the processing	The Company processes personal data to provide Wokwi Classroom as specified under the Terms.
Purpose(s) of the data Processing and further processing	Personal Data is contained in the data which Institutional Customer users (student & teachers) share through Wokwi Classroom under the Terms. The Company has access to such data solely for purposes pursuant to the Terms and this Addendum.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	If not deleted by the user - 6 months of inactivity by the user
For transfers to (sub-) processors, also specify location, subject matter, nature and duration of the processing	Google BigQuery: Processes structured analytics data in EU or US. Cloud SQL: Hosts relational databases in EU or US. Firebase: Processes app, auth, and analytics data mainly in the US, with EU options. Cloudflare: Routes and caches web traffic via global (EU/US) edge servers