Wokwi - Data Processing Addendum

This Data Processing Addendum (“Addendum”) is entered into on by and between CodeMagic Ltd. (“CodeMagic”) and the school, school district, school system, tutoring center or educational institution (“Institutional Customer”) who is a party under Wokwi Terms of Service (the “Terms”) with CodeMagic, for the provision of the web simulator for embedded & IoT Systems that assists in learning and planning embedded device interactions and programming though a school environment (“Wokwi Classroom”).

WHEREAS, CodeMagic is involved in processing certain personal data or personal information on behalf of the Institutional Customer (“Institutional Customer Personal Data”) as part of Wokwi Classroom pursuant to the Terms, and the parties wish to regulate CodeMagic’s processing of such personal data, through this Addendum.

THEREFORE, the parties have agreed to this Addendum, consisting of these parts:

Part

Is applicable and in force?

Part One – General provisions

Always applies and in force for Wokwi Classroom.

Part Two – EU/EEA or UK GDPR DPA

Only if the Institutional Customer is subject to the UK or EU/EEA GDPR regarding the personal data that CodeMagic processes for it when providing the Wokwi Classroom.

Part Three – State Privacy Laws in the U.S.

Only if the Institutional Customer is subject to state privacy laws in the U.S. regarding the personal data that CodeMagic processes for it.

Part Four – Federal Privacy Laws in the U.S.

Only if the Institutional Customer is subject to federal privacy laws in the U.S. regarding the electronic student education record information that CodeMagic processes for it.

Part Five – Israeli Privacy Protection Regulations (Information Security)

Only if the Institutional Customer is subject to Israeli law regarding the personal data that CodeMagic processes for it when providing the Wokwi Classroom.

Part 1 (General Provisions)

  1. Scope. This Addendum and any of its Parts apply only where CodeMagic is processing Institutional Customer Personal Data on behalf of the Institutional Customer and under the Institutional Customer’s instruction. It does not apply to (i) CodeMagic’s processing data to operate its services (under its own Terms and Policies), such as when providing the web simulator service outside of a school environment or managing the user account outside of Wokwi Classroom (“Wokwi”), (ii) CodeMagic’s processing of non-personal data, or (iii) CodeMagic’s processing data to administer the business or contractual relationship between CodeMagic and the Institutional Customer.

  2. Order of Precedence. In the event of any conflicting provisions between this Addendum and the Terms or any other terms in place between the parties, the provisions of this Addendum prevail.

  3. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of CodeMagic’s processing of Institutional Customer Personal Data, CodeMagic will implement and maintain reasonable security procedures and practices appropriate to the nature of the Institutional Customer Personal Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

  4. Data Subject Requests. CodeMagic will follow Institutional Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Institutional Customer Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. CodeMagic will pass on to Institutional Customer requests that it receives (if any) from data subjects regarding their information processors by CodeMagic. CodeMagic shall notify Institutional Customer of the receipt of such request without undue delay, together with the relevant details.

  5. Return or deletion of information. Upon Institutional Customer’s written request where no subsequent further processing is required, CodeMagic shall, at the instruction of Institutional Customer, either delete, destroy or return to Institutional Customer, some or all (however instructed) of the of the personal information that it and its third party suppliers process for Institutional Customer. Upon Institutional Customer’s request, CodeMagic will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.

  6. Disclosure. Unless legally prohibited, CodeMagic will provide Institutional Customer prompt notice of any request it receives from authorities to produce or disclose Institutional Customer Personal Data it has Processed on Institutional Customer’s behalf, so that Institutional Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.

  7. Data Breaches. CodeMagic shall without undue delay notify Institutional Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Institutional Customer Personal Data, that it becomes aware of. CodeMagic will investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. CodeMagic will cooperate in good-faith with Institutional Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.

  8. Subcontracting to suppliers. Institutional Customer authorizes CodeMagic to subcontract any of its Wokwi Classroom-related activities consisting of the processing of the Institutional Customer Personal Data or requiring Institutional Customer Personal Data to be processed by any third party supplier without the prior written authorization of Institutional Customer provided that: (a) CodeMagic shall ensure that the third party is bound by similar obligations under this Part 1 and Data Protection Laws, including Article 28 of the GDPR; and (b) CodeMagic is liable to Institutional Customer for the performance of any such third party that fails to fulfil its obligations.

  9. Details of Processing. The nature and purposes of the Processing activities, categories of data subjects whose personal data may be processed, categories of personal data Processed, frequency of the Processing, the period for which the personal data will be retained and (sub-) processors list are all specified in Appendix A of this Addendum.

  10. Confidentiality. CodeMagic will ensure that its staff authorized to process the Institutional Customer Personal Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

  11. Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum, shall be subject to the sole and exclusive jurisdiction and venue specified in the Terms.

  12. Liability. Each party’s total and aggregate liability to the other party under this Addendum for any direct or indirect damages asserted in connection with this Addendum, whether in tort (including negligence), contract, indemnity, strict liability, or otherwise, is capped as specified in the Terms.

Part 2 (GDPR DPA)

  1. Capitalized terms used in this Part 2 but not defined herein or in the Terms shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”.

  2. Institutional Customer commissions, authorizes and requests that CodeMagic Process the Institutional Customer Personal Data under the instructions of Institutional Customer. CodeMagic will Process the Personal Data only on Institutional Customer’s behalf (it being understood that Institutional Customer may be acting as a processor for and on behalf of its Institutional Customer, the Controller). CodeMagic and Institutional Customer are each responsible for complying with the Data Protection Law as applicable to their roles.

  3. CodeMagic will Process the Personal Data only on instructions from Institutional Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Wokwi Classroom. The foregoing applies unless CodeMagic is otherwise required by law to which it is subject (and in such a case, CodeMagic shall inform Institutional Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). CodeMagic shall immediately inform Institutional Customer if, in CodeMagic's opinion, an instruction is in violation of Data Protection Law.

  4. CodeMagic will make available to Institutional Customer and the Data Controller all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.

  5. CodeMagic will make available to Institutional Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Institutional Customer upon request.

  6. CodeMagic will follow Institutional Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it, within the boundaries of the Wokwi Classroom’s capabilities and features. CodeMagic will pass on to Institutional Customer requests that it receives from Data Subjects regarding their Personal Data Processed by CodeMagic. Any request from Data Subjects arising out of the processing of Personal Data by CodeMagic, including but not limited to rectification, erasure, and blocking of Personal Data, portability requests and objection, has to be asserted to Institutional Customer. Institutional Customer is solely liable for responding to Data Subjects on such requests.

  7. Institutional Customer authorizes CodeMagic to engage another sub-processor for carrying out specific processing activities, provided that CodeMagic informs Institutional Customer at least 10 business days in advance of any new or substitute sub-processor, in which case Institutional Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Institutional Customer so objects, CodeMagic may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and CodeMagic may either select another sub-processor in which case the above procedure shall repeat, or if it so chooses, terminate the Terms with no liability to Institutional Customer for such premature termination.

  8. Without limiting the foregoing, in any event where CodeMagic engages another sub-processor, CodeMagic will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where the other sub-processor fails to fulfil its data protection obligations, CodeMagic shall remain fully liable to Institutional Customer for the performance of that other sub-processor’s obligations.

  9. CodeMagic and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors or organizations recognized by an adequacy decision of the European Commission (or as applicable, the UK GDPR regulations), as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Contract Clauses).

  10. Subject to prior coordination between the Institutional Customer and CodeMagic as to the timing and agenda of the audit, following Institutional Customer’s written request, CodeMagic shall allow for and contribute to audits, including carrying out inspections conducted by Institutional Customer, the Controller, or another auditor mandated by Institutional Customer or the Controller in order to establish CodeMagic's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that CodeMagic processes on behalf of Institutional Customer. Such audits or inspections shall be carried out during CodeMagic’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to CodeMagic’s business activities, and be subject to confidentiality undertakings satisfactory to CodeMagic.

  11. CodeMagic will assist, within a reasonable scope of assistance, Institutional Customer and the Controller with the preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).

Part 3 (State Privacy Laws in the U.S.)

  1. Definitions
  1. CodeMagic may only Process the Covered Information to perform the Terms. The parties agree that the Institutional Customer is only disclosing the Covered Information to CodeMagic so that CodeMagic can provide Wokwi Classroom to the Institutional Customer. CodeMagic is prohibited from retaining, using, or disclosing the Covered Information for any commercial purpose other than the foregoing business purposes. Additionally, CodeMagic is prohibited from retaining, using, or disclosing the Covered Information pursuant to this Terms outside the direct business relationship between CodeMagic and Institutional Customer.
  2. CodeMagic must not Sell or Share any Covered Information it Processes.
  3. CodeMagic shall comply with all applicable sections of the Applicable State Privacy Laws and shall provide, with respect to Covered Information, the same level of privacy protection as required by Applicable State Privacy Laws.
  4. Commensurate with the nature of CodeMagic’s Wokwi Classroom to Institutional Customer and in accordance with Institutional Customer’s specified instructions to CodeMagic, CodeMagic shall help Institutional Customer to comply with Consumer requests made pursuant to Applicable State Privacy Laws of which CodeMagic is informed of by Institutional Customer.
  5. CodeMagic grants Institutional Customer the right to take reasonable and appropriate steps to ensure that CodeMagic uses the Covered Information in a manner consistent with Institutional Customer’s obligations under this Addendum and Applicable State Privacy Laws. CodeMagic grants Institutional Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate CodeMagic’s unauthorized use of Covered Information.
  6. CodeMagic must promptly notify Institutional Customer when it makes a determination that it can no longer meet its obligations under this Addendum or Applicable State Privacy Laws.

Part 4 (Federal Privacy Laws in the U.S.)

  1. Definitions.
  1. CodeMagic agrees to comply with the re-disclosure limitations of personally identifiable information from education records as set forth in the Family Educational Rights and Privacy Act (FERPA), 34 CFR § 99.33(a)(2), and with the terms stated in this Addendum. Pursuant to 34 CFR § 99.33(a)(2), any officers, employees, or agents of CodeMagic who receive education record information from the Institution may use such information solely for the purpose for which the disclosure was made.
  2. CodeMagic acknowledges that, while providing Wokwi Classroom, it will have access to CDI. Any CDI held by CodeMagic will be made available to the Institutional Customer upon request by the Institutional Customer. The Institutional Customer herby authorizes CodeMagic to access, process and use CDI as a “school official”, in accordance with FERPA, 34 C.F.R. 99.31(a)(1)(B).
  3. CodeMagic agrees to treat all CDI as strictly confidential and shall not use or disclose CDI received from or on behalf of the Institutional Customer or its students, except as expressly permitted under the agreement between CodeMagic and the Institutional Customer, as required by applicable law, for improving its services or as otherwise authorized in writing by the Institutional Customer. CDI shall be used solely for the purpose for which it was disclosed and permitted under the agreement. CodeMagic may use de-identified data for services development, research, or other purposes. de-identified Data will have all direct and indirect personal identifiers removed. Furthermore, CodeMagic agrees not to attempt to re-identify de-identified data and not to transfer de-identified data to any party unless that party agrees not to attempt re-identification
  4. Upon termination, expiration, or other conclusion of the Terms, CodeMagic shall return all CDI to the Institutional Customer or, if return is not feasible, shall securely destroy all such data. In cases of destruction, CodeMagic shall provide the Institutional Customer with a written certification confirming the date and method of destruction.
  5. CodeMagic shall implement and maintain appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of all CDI that is electronically maintained or transmitted. These security obligations shall also apply to any subcontractors engaged by CodeMagic. CodeMagic will store and process CDI in accordance with industry practices. This includes appropriate administrative, physical, and technical safeguards to secure CDI from unauthorized access, disclosure, and use. CodeMagic will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner.
  6. CodeMagic will provide a prompt notification to the Institutional Customer in the event of a security or privacy incident, and use the industry best practices for responding to a breach of CDI.
  7. CodeMagic shall report any unauthorized access to or disclosure of CDI to the Institutional Customer.

Part 5 (Israeli law)

  1. Definitions. In this Part, the following terms shall be interpreted as follows:
  1. Processor’s obligations regarding the Processing of Personal Data
  1. Disclosure and transfer of Personal Data

    1. Processor shall not disclose Personal Data in the scope of Processing Personal Data on behalf of Institutional Customer to any entity, unless Institutional Customer has provided its prior written consent, except as follows:
      • As strictly necessary for the provision of Wokwi Classroom;
      • Where such disclosure is required by Applicable Law or during a legal proceedings, in which case Processor shall notify Institutional Customer in writing immediately upon receipt of the request and before fulfilling the disclosure request, and will cooperate and disclose the minimum Personal Data necessary to comply with Applicable Law or legal proceedings;
      • To the extent that Institutional Customer will approve Processor to use subcontractors or service provider of the Processor, or use a subcontractor or service provider to Process Personal Data (each, a "Sub-contractor"), Processor shall enter into a written, valid, and enforceable Terms with the Sub-Contractor containing adequately protective terms on data security consistent with this Part 5. Processor shall provide Institutional Customer any information reasonable requested by Institutional Customer about the Processor’s use of Sub-contractors, about the Sub-contractors’ Processing activities for the Processor and their data security practices. Processor shall take reasonable measures to monitor Sub-contractor’s compliance with data security obligations.
      • Processor shall use conventional encryption mechanisms for any transfer of Personal Data to a third party and for any remote connection to the Database Systems.
  2. Storing, Deletion and Return of Personal Data

    • Processor undertakes to implement appropriate security measures designed to ensure the integrity of the Personal Data, its availability, confidentiality, and reliability.
    • Processor shall maintain logical separation between the Database Systems and the computer systems used by Processor that are not directly related to the Processing or Personal Data for Institutional Customer. In the event the Database Systems is connected to the Internet or to another public network, Processor shall install appropriate means of protection against information security incidents, such as firewalls and anti-virus tools.
    • Processor shall retain the Personal Data only as strictly necessary to provide Wokwi Classroom to Institutional Customer, or as mandatory under Applicable Laws.
    • Processor shall regularly update the Database Systems, including the software installed in the Database Systems, with information security updates. When operating the Database Systems, Processor will not use software and/or hardware components that the manufacturer does not support in terms of their security aspects.
    • Processor will implement measures to prevent the connection of removable devices to the Database Systems or devices Processing Personal Data (to the extent those Database Systems or devices are located in the Processor’s premises or assigned to its employees, consultants, and anyone on its behalf). Notwithstanding the foregoing, portable devices such as laptops and smartphones Processing Personal Data may be used so long as they are encrypted with appropriate, industry-customary encryption.
    • In accordance with the Terms and without prejudice to its generality, Processor shall return, delete or destroy all Personal Data to which this Part 5 applies, including but not limited to, all original and copies of that Personal Data, in any medium, including but not limited to, hard drives, backup media, and any other magnetic or optical media and all materials derived from, or including the, Personal Data within forty-five (45) days upon Institutional Customer written request for return, deletion or distortion for any reason.
  3. Cross-Border Data Transfers

    • Processor shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited, to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.
    • In addition, Processor shall not transfer Personal Data to a foreign jurisdiction without prior advanced notice to Institutional Customer, and Institutional Customer shall be entitled to object to such transfer, on reasonable grounds, within 30 days from receipt of notice.
    • If no objection is provided by Institutional Customer, Processor shall keep Institutional Customer updated on material compliance developments in its transfers of Personal Data to foreign jurisdictions, considering the aforementioned regulations.
  4. Breach of information security

    • Processor will notify Institutional Customer without undue delay and no later than twenty-four (24) hours after becoming aware of a Personal Data Breach, and provide Institutional Customer with sufficient information to allow Institutional Customer to meet any obligations to report or inform affected individuals or a supervisory authority of the Personal Data Breach.
      Such notice shall include, at the time of initial notification or without undue delay after the initial notification, details of the nature of the Personal Data Breach, number of records affected, the category and approximate number of affected individuals, anticipated consequences of the Personal Data Breach and any actual or proposed remedies for mitigating the possible adverse effects of the Personal Data Breach.
    • In any case of a Personal Data Breach affecting Personal Data, Processor also:
      • Will cooperate with Institutional Customer and/or anyone on its behalf to investigate the Personal Data Breach as aforesaid and will not release any public statement relating to that Personal Data Breach, except as required by law;
      • Will take all necessary and appropriate corrective measures to repair the Personal Data Breach.
    • In the event of a Personal Data Breach, the parties will discuss the matter and reach an Terms regarding the measures required to repair the Personal Data Breach and the schedule for their implementation.
  5. Audit & Documentation

    • Processor shall provide Institutional Customer, at least in every 12 month or upon its request, a written approval according to which it performs and fulfills its obligations pursuant to this Part 5 and the provisions of the Applicable Law.
    • Processor shall fully cooperate with Institutional Customer in providing all information and assistance reasonably requested by Institutional Customer in connection with data security issues and practices and supplementary documents, so as to allow Institutional Customer to properly address information security, privacy and regulatory matters relating to the Database.
    • Processor undertakes to allow the representatives of Institutional Customer and/or any person or entity acting on Institutional Customer’s behalf to carry out, through advance notice, surveys and audits regarding the performance of Processor’s obligations under this Part 5. It is hereby clarified that as a pre-condition for the performance of such surveys and audits, surveyor and auditor on behalf of Institutional Customer shall be required to sign an undertaking in order to maintain confidentiality of Processor’s data to which such surveyor or auditors will be exposed to in the course of the survey or audit.
  6. Term & Termination All the clauses in this Part 5 that are bound by and required under, the Applicable Law will continue to apply even after the expiration or termination of the Terms between the parties, provided that Processor continues to retain Institutional Customer Personal Data.

  7. Interpretation To the extent that there is no contradiction to the foregoing, the relevant clauses of the Terms shall apply to this Part 5. In the event of a conflict between the provisions of this Part 5 and the provisions of the Terms, the terms of this Part 5 shall prevail.

Appendix A – DETAILS OF PROCESSING

Categories of data subjects whose personal data is processed

Students Teachers

Categories of personal data Processed

Name and email address, profile Photo and third-party user account name, content users share or upload to Wokwi Classroom and chats and interactions in Wokwi Classroom

The frequency of the Processing

Continuous basis while Wokwi Classroom is active, and until a user deleted its account

Nature of the processing

CodeMagic processes personal data to provide Wokwi Classroom as specified under the Terms.

Purpose(s) of the data Processing and further processing

Personal Data is contained in the data which Institutional Customer users (student & teachers) share through Wokwi Classroom under the Terms. CodeMagic has access to such data solely for purposes pursuant to the Terms and this Addendum.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

If not deleted by the user - 6 months of inactivity by the user

For transfers to (sub-) processors, also specify location, subject matter, nature and duration of the processing

Google BigQuery: Processes structured analytics data in EU or US.
Cloud SQL: Hosts relational databases in EU or US.
Firebase: Processes app, auth, and analytics data mainly in the US, with EU options.
Cloudflare: Routes and caches web traffic via global (EU/US) edge servers