This Data Processing Addendum (“Addendum”) is entered into on by and between CodeMagic Ltd. (“CodeMagic”) and the school, school district, school system, tutoring center or educational institution (“Institutional Customer”) who is a party under Wokwi Terms of Service (the “Terms”) with CodeMagic, for the provision of the web simulator for embedded & IoT Systems that assists in learning and planning embedded device interactions and programming though a school environment (“Wokwi Classroom”).
WHEREAS, CodeMagic is involved in processing certain personal data or personal information on behalf of the Institutional Customer (“Institutional Customer Personal Data”) as part of Wokwi Classroom pursuant to the Terms, and the parties wish to regulate CodeMagic’s processing of such personal data, through this Addendum.
THEREFORE, the parties have agreed to this Addendum, consisting of these parts:
Part | Is applicable and in force? |
---|---|
Part One – General provisions | Always applies and in force for Wokwi Classroom. |
Part Two – EU/EEA or UK GDPR DPA | Only if the Institutional Customer is subject to the UK or EU/EEA GDPR regarding the personal data that CodeMagic processes for it when providing the Wokwi Classroom. |
Part Three – State Privacy Laws in the U.S. | Only if the Institutional Customer is subject to state privacy laws in the U.S. regarding the personal data that CodeMagic processes for it. |
Part Four – Federal Privacy Laws in the U.S. | Only if the Institutional Customer is subject to federal privacy laws in the U.S. regarding the electronic student education record information that CodeMagic processes for it. |
Part Five – Israeli Privacy Protection Regulations (Information Security) | Only if the Institutional Customer is subject to Israeli law regarding the personal data that CodeMagic processes for it when providing the Wokwi Classroom. |
Scope. This Addendum and any of its Parts apply only where CodeMagic is processing Institutional Customer Personal Data on behalf of the Institutional Customer and under the Institutional Customer’s instruction. It does not apply to (i) CodeMagic’s processing data to operate its services (under its own Terms and Policies), such as when providing the web simulator service outside of a school environment or managing the user account outside of Wokwi Classroom (“Wokwi”), (ii) CodeMagic’s processing of non-personal data, or (iii) CodeMagic’s processing data to administer the business or contractual relationship between CodeMagic and the Institutional Customer.
Order of Precedence. In the event of any conflicting provisions between this Addendum and the Terms or any other terms in place between the parties, the provisions of this Addendum prevail.
Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of CodeMagic’s processing of Institutional Customer Personal Data, CodeMagic will implement and maintain reasonable security procedures and practices appropriate to the nature of the Institutional Customer Personal Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
Data Subject Requests. CodeMagic will follow Institutional Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Institutional Customer Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. CodeMagic will pass on to Institutional Customer requests that it receives (if any) from data subjects regarding their information processors by CodeMagic. CodeMagic shall notify Institutional Customer of the receipt of such request without undue delay, together with the relevant details.
Return or deletion of information. Upon Institutional Customer’s written request where no subsequent further processing is required, CodeMagic shall, at the instruction of Institutional Customer, either delete, destroy or return to Institutional Customer, some or all (however instructed) of the of the personal information that it and its third party suppliers process for Institutional Customer. Upon Institutional Customer’s request, CodeMagic will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.
Disclosure. Unless legally prohibited, CodeMagic will provide Institutional Customer prompt notice of any request it receives from authorities to produce or disclose Institutional Customer Personal Data it has Processed on Institutional Customer’s behalf, so that Institutional Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.
Data Breaches. CodeMagic shall without undue delay notify Institutional Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Institutional Customer Personal Data, that it becomes aware of. CodeMagic will investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. CodeMagic will cooperate in good-faith with Institutional Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.
Subcontracting to suppliers. Institutional Customer authorizes CodeMagic to subcontract any of its Wokwi Classroom-related activities consisting of the processing of the Institutional Customer Personal Data or requiring Institutional Customer Personal Data to be processed by any third party supplier without the prior written authorization of Institutional Customer provided that: (a) CodeMagic shall ensure that the third party is bound by similar obligations under this Part 1 and Data Protection Laws, including Article 28 of the GDPR; and (b) CodeMagic is liable to Institutional Customer for the performance of any such third party that fails to fulfil its obligations.
Details of Processing. The nature and purposes of the Processing activities, categories of data subjects whose personal data may be processed, categories of personal data Processed, frequency of the Processing, the period for which the personal data will be retained and (sub-) processors list are all specified in Appendix A of this Addendum.
Confidentiality. CodeMagic will ensure that its staff authorized to process the Institutional Customer Personal Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum, shall be subject to the sole and exclusive jurisdiction and venue specified in the Terms.
Liability. Each party’s total and aggregate liability to the other party under this Addendum for any direct or indirect damages asserted in connection with this Addendum, whether in tort (including negligence), contract, indemnity, strict liability, or otherwise, is capped as specified in the Terms.
Capitalized terms used in this Part 2 but not defined herein or in the Terms shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”.
Institutional Customer commissions, authorizes and requests that CodeMagic Process the Institutional Customer Personal Data under the instructions of Institutional Customer. CodeMagic will Process the Personal Data only on Institutional Customer’s behalf (it being understood that Institutional Customer may be acting as a processor for and on behalf of its Institutional Customer, the Controller). CodeMagic and Institutional Customer are each responsible for complying with the Data Protection Law as applicable to their roles.
CodeMagic will Process the Personal Data only on instructions from Institutional Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Wokwi Classroom. The foregoing applies unless CodeMagic is otherwise required by law to which it is subject (and in such a case, CodeMagic shall inform Institutional Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). CodeMagic shall immediately inform Institutional Customer if, in CodeMagic's opinion, an instruction is in violation of Data Protection Law.
CodeMagic will make available to Institutional Customer and the Data Controller all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.
CodeMagic will make available to Institutional Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Institutional Customer upon request.
CodeMagic will follow Institutional Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it, within the boundaries of the Wokwi Classroom’s capabilities and features. CodeMagic will pass on to Institutional Customer requests that it receives from Data Subjects regarding their Personal Data Processed by CodeMagic. Any request from Data Subjects arising out of the processing of Personal Data by CodeMagic, including but not limited to rectification, erasure, and blocking of Personal Data, portability requests and objection, has to be asserted to Institutional Customer. Institutional Customer is solely liable for responding to Data Subjects on such requests.
Institutional Customer authorizes CodeMagic to engage another sub-processor for carrying out specific processing activities, provided that CodeMagic informs Institutional Customer at least 10 business days in advance of any new or substitute sub-processor, in which case Institutional Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Institutional Customer so objects, CodeMagic may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and CodeMagic may either select another sub-processor in which case the above procedure shall repeat, or if it so chooses, terminate the Terms with no liability to Institutional Customer for such premature termination.
Without limiting the foregoing, in any event where CodeMagic engages another sub-processor, CodeMagic will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where the other sub-processor fails to fulfil its data protection obligations, CodeMagic shall remain fully liable to Institutional Customer for the performance of that other sub-processor’s obligations.
CodeMagic and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors or organizations recognized by an adequacy decision of the European Commission (or as applicable, the UK GDPR regulations), as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Contract Clauses).
Subject to prior coordination between the Institutional Customer and CodeMagic as to the timing and agenda of the audit, following Institutional Customer’s written request, CodeMagic shall allow for and contribute to audits, including carrying out inspections conducted by Institutional Customer, the Controller, or another auditor mandated by Institutional Customer or the Controller in order to establish CodeMagic's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that CodeMagic processes on behalf of Institutional Customer. Such audits or inspections shall be carried out during CodeMagic’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to CodeMagic’s business activities, and be subject to confidentiality undertakings satisfactory to CodeMagic.
CodeMagic will assist, within a reasonable scope of assistance, Institutional Customer and the Controller with the preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).
Disclosure and transfer of Personal Data
Storing, Deletion and Return of Personal Data
Cross-Border Data Transfers
Breach of information security
Audit & Documentation
Term & Termination All the clauses in this Part 5 that are bound by and required under, the Applicable Law will continue to apply even after the expiration or termination of the Terms between the parties, provided that Processor continues to retain Institutional Customer Personal Data.
Interpretation To the extent that there is no contradiction to the foregoing, the relevant clauses of the Terms shall apply to this Part 5. In the event of a conflict between the provisions of this Part 5 and the provisions of the Terms, the terms of this Part 5 shall prevail.
Categories of data subjects whose personal data is processed | Students Teachers |
---|---|
Categories of personal data Processed | Name and email address, profile Photo and third-party user account name, content users share or upload to Wokwi Classroom and chats and interactions in Wokwi Classroom |
The frequency of the Processing | Continuous basis while Wokwi Classroom is active, and until a user deleted its account |
Nature of the processing | CodeMagic processes personal data to provide Wokwi Classroom as specified under the Terms. |
Purpose(s) of the data Processing and further processing | Personal Data is contained in the data which Institutional Customer users (student & teachers) share through Wokwi Classroom under the Terms. CodeMagic has access to such data solely for purposes pursuant to the Terms and this Addendum. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | If not deleted by the user - 6 months of inactivity by the user |
For transfers to (sub-) processors, also specify location, subject matter, nature and duration of the processing | Google BigQuery: Processes structured analytics data in EU or US. |