Data Processing Agreement

This Personal Data Processing Agreement (“ProcessingAgreement” or “DPA”) entered by and between Customer and Service Provider, setsforth the terms and conditions relating to the privacy, confidentiality and securityof Personal Data (as defined below) associated with services to be rendered byService Provider (“we”, “our” or “us”) to Customer pursuant to the acceptedOrder Form or Service Provider Agreement (the “Agreement”).

If you have questions regarding this Processing Agreementyou can send them by email to

For the avoidance of doubt, any capitalized terms notdefined in this Processing Agreement shall have the meanings set forth for suchterms elsewhere in the Agreement.

In consideration of the mutual covenants and agreements inthis Processing Agreement, in the Agreement and for other good and valuableconsideration, the sufficiency of which is hereby acknowledged, Customer and ServiceProvider agree as follows:


1.1. “Applicable Data Protection Laws” means all laws andregulations, including laws and regulations of the European Union, the EuropeanEconomic Area and their member states, Switzerland and the United Kingdom, aswell as the CCPA (as defined below) and any other state or national laws orregulation applicable to the Processing of Personal Data under the Agreement.

1.2. “CCPA” or “California Consumer Privacy Act of 2018”means Assembly Bill 375 of the California House of Representatives, an act toadd Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 ofthe Civil Code, relating to privacy and approved by the California Governor on June28, 2018.

1.3. “Customer Security Incident”, has the meaningattributed to this term in article 5.4 (Security Incidents and Personal DataBreach Management and notifications) below.

1.4. “Data Controller” or “Controller” means the Customerprovided that it determines the purposes and means of the processing ofPersonal Data in relation and in connection to the Agreement.

1.5. “Data Processor” or “Processor” means the Service whichprocesses Personal Data on behalf of the Data Controller, and in compliancewith the terms and conditions provided hereto.

1.6. “Data Subject” means the physical person to whom thePersonal Data refers.

1.7. “Data Transfer” means any transfer of personal datafrom the USA to any third country or international organization.

1.8. “GDPR” means the Regulation 2016/679 of the EuropeanParliament and of the Council on the protection of natural persons with regardto the processing of personal data and on the free movement of such data (GeneralData Protection Regulation), and its relevant national implementation.

1.9. “Personal Data” means any information relating to anidentified or identifiable natural person such as name, last name, emailaddress, postal address, telephone number, date of birth, Social Securitynumber (or its equivalent), driver’s license number, account number, credit ordebit card number, location data, identification number, any other uniqueidentifier or one or more factors specific to an individual’s physical,economic, cultural or social identity or that is defined as “PersonalInformation,” “Personally Identifiable Information,”

“Personal Data,” or any similar designation by ApplicableData Protection Laws, in any form and any media, that Service Providerreceives, accesses, collects, processes, generates, compiles or creates inconnection with this Processing Agreement and the Agreement.

1.10. “Process” or “Processing” means any operation or setof operations performed upon Personal Data, whether or not by automatic means,such as creation, collection, procuration, obtaining, accession, recording, organisation,storage, adaption or alteration, retrieval, consultation, dissemination orotherwise making available, use, disclosure by transmission, restriction,erasure or destruction.

1.11. “Service Provider” & “Service Provider Group”means Labchanges Unlimited SL. dba WeAreExams and its affiliates andsubsidiaries.

1.12. “Subcontractors” has the meaning attributed to it inarticle 3.1 (Appointment of Subcontractor) below.

1.13. “Technical and Organisational Security Measures” meansthose measures aimed at protecting personal data against unlawful destructionor accidental destruction or loss, alteration, unauthorised disclosure oraccess, and against all other unlawful forms of Processing.

1.14. “USA”, means the United States of America.



2.1. Compliance with Laws. Both parties will comply with allrequirements of the Applicable Data Protection Laws.

2.2. Role of the Parties. This DPA applies when CustomerPersonal Data is Processed by the Service Provider.

The Customer acts as Controller with respect to CustomerPersonal Data and the Service Provider acts as Processor.

2.3. Scope of the DPA and Processing Instructions. Thepresent Processing Agreement sets forth the terms and conditions pursuant towhich the Service Provider as Processor will Process Personal Data provided bythe Customer as Controller for the purpose of providing the Services includedin the Agreement, as well as when performing its obligations under this DPA andthe Agreement. Provided that, the Service Provider shall not Process Customer’sPersonal Data for any other purposes. It is in any case understood that ServiceProvider will only Process Personal Data only on the written instructions ofCustomer, and Service Provider agrees to act in accordance with theinstructions of Customer.

Service Provider shall inform Customer in writing as soon asis commercially and reasonably practicable if it

cannot comply with Customer’s instructions. If ServiceProvider cannot comply with Customer’s instructions,

Customer can suspend the transfer or disclosure to or accessby Service Provider of Personal Data and

terminate any further Processing of Personal Data by ServiceProvider, if doing so is necessary to comply

with Applicable Data Protection Laws.

2.4. Duration. The present Processing Agreement shall bevalid and effective from the date of entry into force of

the Agreement until the termination of the Agreement, unlessagreed in writing otherwise.

2.5. Description of the Personal Data Processing by ServiceProvider. A list regarding the scope and duration of

Processing, categories of Data Subjects, and types ofPersonal Data Processed, is set out in Exhibit 1 of the

Processing Agreement attached hereto.

2.6. Inquiries on Processing. Service Provider shall dealpromptly and appropriately with any inquiries from

Customer relating to the Processing of Personal Data subjectto this Processing Agreement or the


2.7. Service Provider Personnel.

2.7.1. Confidentiality Obligations. Service Providerwarrants that except and solely as permitted in the applicable section in theAgreement, Service Provider and its employees, agents, consultants and contractorsshall hold in strict confidence (i) the existence and terms of this DPA, theAgreement and any related agreement; (ii) any and all Personal Data (whether inindividual or aggregate form and regardless of the media in which it iscontained) that may be disclosed at any time to Service Provider or itsemployees, agents, consultants or contractors by Customer, Customer’sAffiliates or their respective employees, agents, consultants or contractors inanticipation of, in connection with or incidental to the performance ofservices for or on behalf of Customer or Customer’s Affiliates; (iii) any andall Personal Data (whether in individual or aggregate form and regardless ofthe media in which it is contained) that may be Processed at any time by ServiceProvider or its employees, agents, consultants or contractors in connectionwith or incidental to the performance of services for or on behalf of Customeror Customer’s Affiliates; and (iv) any information derived from the informationdescribed in (ii) and (iii) above; ((ii), (iii) and (iv) designatecollectively: Personal Data; provided, however, that the Parties agree that anymaterials or information used in or resulting from any activities that ServiceProvider is allowed to engage in pursuant to the applicable Section in theService Provider Agreement shall be deemed to not constitute “Personal Data” evenif such information or materials

used in such activities might constitute or include“Personal Data” in other contexts).

2.7.2. Limitation of Access. Service Provider shall ensurethat Service Provider’s access to

the Personal Data is limited to those personnel who requiresuch access to perform the Agreement and are

obliged to keep the Personal Data confidential, pursuant tothe principle of the “need to know”.

2.7.3. Supervision and Awareness. Service Provider shallexercise the necessary and

appropriate supervision over its relevant employees,contractors, consultants, agents, vendors and partners

to maintain appropriate privacy, confidentiality andsecurity of Personal Data. Service Provider shall provide

training, as appropriate, regarding the privacy,confidentiality and information security requirements set forth

in this Processing Agreement to employees, contractors,consultants, agents, vendors and partners with

access to Personal Data.

2.7.4. Data Protection Officer. Members of the Service ProviderGroup will appoint a Data Protection

Officer where such appointment is required by ApplicableData Protection Laws and Regulations. The

appointed person may be reached at

2.8. Return and Deletion of Customer Data. Promptly upon theexpiration or earlier termination of the

Agreement, or such earlier time as Customer requests,Service Provider shall, at the choice of Customer,

securely return to Customer or its designee, or, securelydestroy or render unreadable or undecipherable if

return is not reasonably feasible or desirable to Customer(which decision shall be based solely on

Customer’s written statement), each and every original andcopy in every media of all Personal Data in

Service Provider’s possession, custody or control. ServiceProvider shall comply with all directions provided


by Customer with respect to the return or disposal of allPersonal Data unless otherwise required by

Applicable Data Protection Laws.

2.9. Transfer of Personal Data. By entering into this DataProcessing Agreement and the Agreement, Customer

hereby authorizes Service Provider to share, transfer,disclose or otherwise provide access to Personal Data

to the Subcontractors (as defined below in article 3.1(Appointment of Subcontractors) identified in Exhibit 3. In

general terms, the Data Transfers envisaged in Exhibit 3 aremade in favor of Subcontractors belonging to the

Service Provider Group, and therefore necessary to providethe Services included in the Agreement; or

because the relevant Subcontractor provides specificadditional services to the Service Provider (e.g. cloud


In any case, Service Provider takes reasonable andappropriate steps to ensure that the relevant

Subcontractor effectively processes the Personal Datatransferred in a manner consistent with the Applicable

Data Protection Law and requires the relevant Subcontractorto notify Service Provider if it can no longer

meet its obligation to provide the same level of protectionas is required by the Applicable Data Protection


For the sake of clarity, it is in any case understood thatService Provider before performing any Data

Transfer will comply with the Applicable Data ProtectionLaws, identifying the most appropriate legal



3.1. Appointment of Subcontractors. Customer consents toService Provider subcontracting its obligations

under this Processing Agreement and the Agreement toaffiliated companies or third-party processors to

perform and fulfil the Service Provider's commitments andobligations under this Processing Agreement and

the Agreement (“Subcontractors”). Service Provider confirmsthat it has entered or (as the case may be) will

enter with (each of) the third-party processor(s) into awritten agreement incorporating terms which are

substantially similar to those set out in this ProcessingAgreement as between Customer and Service

Provider and, such third-party processor has given sufficientguarantees that they will implement measures

to ensure that Processing the Personal Data it carries outwill meet the requirements of the Applicable Data

Protection Law and protect the rights of data subjects.

3.2. Subcontractors List. As of today, an updated list ofauthorized Subcontractors is provided in Exhibit 3. It is in

any case understood that when applicable, Service Providershall maintain an up-to-date list of

Subcontractors, specifying (i) their name and details, aswell as (ii) the nature of the tasks entrusted to them,

and (iii) the location of the Processing.

3.3. New Subcontractors. Service Provider shall giveCustomer prior written notice of the appointment of any

new Subcontractor, including full details of the Processingto be undertaken by the Subcontractor.

3.4. Objection Rights. To avoid doubt, it shall bereasonable for Customer to withhold or deny such consent if

Customer has reasonable doubts that a Subcontractor is ableto perform and fulfil the Service Provider's

commitments and obligations under this DPA. The objectionmust be based on reasonable grounds (e.g. if

Customer proves that significant risks for the protection ofits Personal Data exist at the subcontractor).

3.5. Agreements with Subcontractors. Customer herebyauthorizes Service Provider, to agree in the name and

on behalf of Customer with a Subcontractor which Processesor uses Personal Data of Customer outside the

USA, to enter into any relevant agreement or into any otherlegal document (e.g. a data processing

agreement pursuant GDPR, or CCPA, or any USA local, state,federal law, data transfer agreement pursuant

to article GDPR, etc.) necessary to comply with theApplicable Data Protection Law.

3.6. Liability. Service Provider shall remain fully liablefor all acts or omissions of any Subcontractors appointed

by it pursuant to this section.


4.1. Data Subject Request. To the extent permitted by law,Service Provider will inform Customer as soon as is

commercially and reasonably practicable, in writing of anyrequests with respect to Personal Data received

from Customer’s customers, consumers, employees or others(“Data Subject”) to exercise the following Data

Subject rights: access, rectification, restriction ofProcessing, erasure (“Right to be Forgotten”), data portability,

objection to the Processing, or to not be subject to anautomated individual decision making. Service

Provider shall assist Customer, at Customer’s cost (Customerwill be informed of costs before they are

incurred and shall be approved by the Customer in advance),in responding to any request from a data

subject and in ensuring compliance with its obligationsunder Applicable Data Protection Laws with respect

to security, breach notifications, impact assessments andconsultation with supervisory authorities or


regulators, Service Provider shall cooperate with Customerif any individual seeks to exercise his/her rights

(right to rectification, right to object, right to erasure,right to restrict Processing, right to data portability).


5.1. Data Property. All Personal Data shall at all times beand remain the sole property of Customer, and Service

Provider shall not have or obtain any rights therein.

5.2. Technical and Organizational Measures. Service Providershall take appropriate Technical and

Organizational Security Measures against unauthorized orunlawful Processing of Personal Data and against

accidental loss or destruction of, or damage to, thePersonal Data provided by Customer appropriate to the

harm that might result from the unauthorized or unlawfulProcessing or accidental loss, destruction or

damage and the nature of the data to be protected, havingregard to the state of the technological

development and the cost of implementing any measures whereappropriate, for example,

pseudonymisation and encryption of Personal Data.

In this respect, Customer agrees and acknowledges asappropriate the Technical and Organizational

Measures provided in Exhibit 2 attached hereto.

5.3. Controls for the Protection of Customer Data. ServiceProvider shall develop, maintain and implement a

comprehensive written information security program thatincludes appropriate administrative, technical,

physical, organizational and operational safeguards andother security measures designed to (i) ensure the

security and confidentiality of Personal Data, (ii) protectagainst any anticipated threats or hazards to the

security and integrity of Personal Data, and (iii) protectagainst any Information Security Incident. Service

Provider regularly monitors compliance with these measures.

5.4. Security Incident and Personal Data Breach Managementand notifications. Service Provider will notify

Customer without undue delay in writing after becoming awareof any violation of any provision of this

Processing Agreement or any actual or suspected theft orunauthorized Processing, loss, use, disclosure or

acquisition of, or access to, any Personal Data (hereinafter“Customer Security Incident”) of which Service

Provider becomes aware and which may require a notificationto be made to the competent Supervisory

Authority or Data Subject under Applicable Data ProtectionLaw or which Service Provider is required to

notify to Customer under Applicable Data Protection Law.Service Provider shall provide commercially

reasonable cooperation and assistance in identifying thecause of such Customer Security Incident and take

commercially reasonable steps to remediate the cause to theextent the remediation is within Service

Provider’s control. The obligations herein shall not applyto incidents that are caused by Customer, Authorized

Users, any Non Service Provider-related Service or ForceMajeure.

5.5. Audits. Service Provider shall maintain complete andaccurate records and information to demonstrate its

compliance with its obligations under this Agreement andalso for audits conducted by or on behalf of

Customer. Customer may contact Service Provider inaccordance with the “Notice” Section of the Agreement

to request an on-site audit of Service Provider’ proceduresrelevant to the protection of Personal Data, but

only to the extent required under applicable Data ProtectionLaw. Before the commencement of any such

onsite audit, Customer and Service Provider shall mutuallyagree in writing upon the scope, timing, and

duration of the audit. Customer will restrict its auditactivity to the departments and locations agreed upon in

writing. A schedule of meetings and audit activities will bedetailed in writing with the nominated single point

of contact for the audit and the identified business areas.Customer must provide Service Provider with a

notice of fifteen (15) days. Customer can perform a newaudit within three years following the former

scheduled audit. Customer is responsible for the cost andexpenses of the audit. Customer must sign a NDA

before each audit. Customer’s audit team is legally bound byService Provider’s NDA which prohibits

Customer from knowingly and recklessly disclose anyconfidential information pertaining to the audit or to

the Service Provider or to Service Provider Group. Customershall promptly notify Service Provider with

information regarding any noncompliance discovered duringthe course of an audit, and Service Provider

shall use commercially reasonable efforts to address anyconfirmed non-compliance.

5.6. Judicial Access. Subject to applicable law, ServiceProvider shall notify Customer as soon as is commercially

and reasonably practicable in writing of any subpoena orother judicial or administrative order by a

government authority or proceeding seeking access to ordisclosure of Personal Data. Customer shall have

the right to defend such action in lieu of and behalf ofService Provider. Customer may, if it so chooses, seek a

protective order. Service Provider shall reasonablycooperate with Customer in such defense.



For the purposes of the Agreement, Customer represents andwarrants that all the Personal Data made

available to, communicated to, accessed by the ServiceProvider, have been previously Processed by Customer in

full compliance with the Applicable Data Protection Laws.

Consequently, Customer will hold harmless Service Providerfrom any claims, request of indemnifications or

compensation of damages regarding the Processing operationspreviously performed by Customer on the

Personal Data that will then be Processed by ServiceProvider for the purpose of the Agreement.


Should any provision of this Processing Agreement be invalidor unenforceable, then the remainder of this

Processing Agreement shall remain valid and in force. Theinvalid or unenforceable provision shall be either (i)

amended as necessary to ensure its validity and enforceability,while preserving the Parties’ intentions as closely

as possible or, if this is not possible, (ii) construed in amanner as if the invalid or unenforceable part had never

been contained therein.


This Processing Agreement may be amended in the light ofdevelopments, laws and regulations, of the

Applicable Data Protection Law as they exist to date and asthey could be amended and, to any other rule, law,

recommendation, regulation of the relevant data protectionauthority or any competent European or USA

supervisory authority.

Any other change or amendment not connected or related tothe necessity to comply to any change in laws

or regulations, shall be agreed in writing between Customerand Service Provider.


This Data Processing Agreement shall be regulated andinterpreted by the same law regulating the

Agreement. The court identified within the Agreement shallhave the exclusive jurisdiction over any disputes or

claims related or connected to this Processing Agreement.



Details of the Processing

The details of the Processing by the Service Provider underthis Agreement are as follows:

Scope of Processing

Service Provider will Process Personal Data as necessary toperform the Services pursuant to the

Agreement, as further specified in the Schedule detailingthe subscribed Services. For further information

regarding the Processing related to a particular Service,please see the online Privacy Policy (User Policy)

applicable to the Service.

Nature and Purpose of Processing

Service Provider will only Process Personal Data to performthe Services pursuant to the Agreement, and as

further instructed by Customer in its use of the Services.

Duration of Processing

Service Provider will Process Personal Data for the durationof the Agreement, unless otherwise agreed

upon in writing or legally required.

Types of Personal Data Processed: Customer may submitPersonal Data to the Services, the extent of

which is determined and controlled by Customer and the setupof each assessment in its sole discretion, and

which may include, but is not limited to the followingcategories of Personal Data:

- First and Last name

- Email

- Connection data (login)

- Official ID document

- Personal life data. Birthdate, ID number, Gender and otherinformation connected to the official ID OCR

- Frames of video stream with individual participant

- Assessment metadata

- Assessment feedback data

- Payment data

- Localisation data

Categories of data subjects

Customer may submit Personal Data to the Services, theextent of which is determined and controlled by

Customer in its sole discretion, and which may include, butis not limited to Personal Data relating to the following

categories of data subjects:

- Customer itself (e.g. organization data, invoicing data,etc.);

- Individuals or organizations in a relationship withCustomer (roles within the organization, etc.).



Description of the technical and organisational securitymeasures implemented

1. Application Level.

1.1. Regularly scheduled security audits, both internal and external

1.2. External security audits and vulnerability scansperformed by QoBox. The results of these audits

are available to Customer on request.

1.3. Use of Secure Sockets Layer (SSL/TLS)

1.4. Strong cryptographic standards, including advancedpassword hashing techniques

1.5. Strong incident management, change control and assetmanagement policies.

1.6. Access to applications is restricted only towhitelisted IP addresses (if requested by Customer):

customers can choose to have their data and application beaccessible only from IP addresses

that they specify during the setup.

1.7. Password Authentication for all users: only AuthorisedUsers have access to the application. In

addition, there are different levels of authorisation. Forexample, users not authorised for

administrator access cannot add or remove users.

1.8. Support for different roles and permissions for eachrole. Only roles or user authorised to access a

protected resource can do so.

1.9. All User activity is logged: In the event ofunauthorised activity, we can review the log to

investigate the events and provide the log to Customer ifrequested.

1.10. Use one-time password authentication for criticalsystems. AWS, Gmail, Github, applications are all

secured with the second layer of OTP system where the useris required to input username and

password as well as the code shown on the authenticatorapplication.

1.11. If identity validation is selected for a specificassessment, the original and processed ID and

related data will remain in secured encrypted S3 servers.There are different regulatory policies for

how long that data and results from that data need to bekept for the legitimacy of the

assessment. Part or all of that data can be programmaticallyremoved based on

Customer/regional specific requirements.

1.12. Support for granular exam settings. Providing fullcontrol to the customer on the level of data

requests and requirements to fully utilize the services (eg.recording, face recognition, id

validation, etc)

1.13. The optional face detection and AI runs as aJavascript library embedded in a web page executed

in the browser of the host device. It carries an instant andvolatile processing of personal data,

while scanning the images read by the video stream (forexample a camera) provided by the

browser API. Each image of the video stream remains in thevolatile memory of the device,

smartphone, tablet, PC etc., accessible from the softwarewithin the browser sandbox, only for the

time strictly necessary for processing the result, estimatedat about 100ms, after which it is

overwritten by the next image. The last frame of the streamis destroyed as soon as it is processed.

2. Disaster Recovery.

2.1. Full Data backups every 24 hours.

2.2. All servers are secured and distributed behind loadbalancers. Service Provider is able to detect

the traffic and do maintenance in the servers withoutaffecting Customer service.

2.3. Backups are kept at a remote location on S3.

2.4. Thirty (7) days of data backups retained.

2.5. In case of disaster, Customer can be set up immediatelyusing the latest available backup.

3. Hosting.

3.1. Servers are hosted in several state-of-the-art Datacentres certified SSAE and ISO 27001.

3.2. Equipment is behind multiple layers of physicalsecurity and supported by redundant power and

HSRP/VRRP Internet access. The Data Centre is located atheavily protected buildings where the

security personnel are on guard 24x7. Other securityfeatures include biometric fingerprint readers

on door locks, strategically placed cameras and motiondetection, and doors equipped with alarm


3.3. Remote access to Service Provider network within theAWS Data centre is only allowed to

authorised employees over a secure VPN connection.

4. Office Network.

4.1. The office network is protected by Google WorkspaceFirewall. Only authorised access is


4.2. Documents are shared only among authorised employees.Documents on the office network are

encrypted in the cloud not public and can only be accessedby authorised employees or


4.3. Access to the building is not granted unless thevisitor is pre-authorised or a current employee

allows access.

5. Updates.

Service Provider is constantly improving its Services andplatform. Service Provider’s latest Technical and

Organisational Security Measures updates are available on request.Customer may write to Service Provider

using the following email address


List of Subcontractors

Infrastructure Subcontractors – Service Data Storage &Processing

Entity name Service provided Entity Country

Amazon Web Services, Inc. Cloud Service Provider UnitedStates of America

Salesforce Inc (Heroku) Cloud Service Provider - App

Server provider

United States of America

Intercom Group Cloud support and user


United States of America

Checkin Group (GetId) Cloud Identity Verification ServiceEstonia

Agora Lab Inc. Broadcast and Video Streaming


United States of America

Cynny S.p.A (DBA Morphcast) Facial Analysis libraries Italy

Github Inc. Software Development & version


United States of America

Service Provider Group – LabChanges Unlimited SL Group

Entity name Service provided Country

EDT Partners SL Affiliate to the Service Provider

(support, marketing, sale)


EDT Partners PTE Ltd Affiliate to the Service Provider

(support, marketing, sale)


The Lab Ventures Affiliate to the Service Provider

(support, marketing, sale)


Service Provider Specific Subcontractors

Entity name Entity Type Entity Country

Pipedrive CRM United States of America

Jira Ticketing & Support United States of America

Confluence Knowledge Base United States of America

Slack Internal instant messaging and


United States of America

QoBox Stress and security testing India

Google Workspace Mail, Doc and related services UnitedStates of America