This Data Processing Agreement ("DPA") is incorporated into, and is subject to the terms and conditions of, the agreement between the Customer that is a party to the agreement ("Customer" or "you") and Wellio.

All capitalised terms not defined in this DPA have the meanings set out in the Agreement. For the avoidance of doubt, all references to the "Agreement" shall include this DPA.

It is agreed:

1. Roles and Responsibilities

The parties acknowledge and agree that the Customer is the Controller and Wellio is the Processor.

2. Processing of Customer Personal Data

2.1 Processing of Customer Personal Data

The Customer acknowledges and agrees that:

1. (a) Wellio may Process Customer Personal Data for the purpose of providing the Services in accordance with the terms of the Agreement and as authorised under the terms of this DPA, or otherwise on the documented instructions of the Customer.
2. (b) The subject matter and types of Customer Personal Data that Wellio may collect and Process are set out in Wellio's Privacy Policy.
3. (c) The duration of Processing of Customer Personal Data corresponds to the duration of the Agreement, or otherwise on the documented instructions of the Customer.
4. (d) The Categories of Data Subjects to whom the Customer Personal Data relates may include Customer's end users, the parents or legal guardians of users, employees, contractors, suppliers, and other third parties.

Wellio is entitled to assume that any instruction given by a representative of the Customer under clause 2.1(a) is given with the Customer's full authority. The Customer further acknowledges and agrees that Wellio will not be under any duty to investigate the completeness, accuracy, or sufficiency of any instructions given to it by any Customer representative.

2.2 Compliance with Laws

1. (a) Wellio will comply with all applicable Data Protection Laws in respect of the Processing of Customer Personal Data.
2. (b) Wellio will not Process Customer Personal Data other than on the Customer's instructions unless Processing is required by Data Protection Laws to which Wellio is subject, in which case Wellio will, to the extent permitted by Data Protection Laws, inform the Customer of that legal requirement before the relevant Processing of that Personal Data.
3. (c) The Customer must comply with all obligations it has as a Controller under Data Protection Laws and must not use the Services or provide Customer Personal Data to Wellio to the extent that doing so would violate any applicable Data Protection Laws. The Customer will inform Wellio if it becomes aware or reasonably believes that the Customer's data processing instructions violate any applicable Data Protection Law.

2.3 Instruction and Agreement by Customer

1. (a) The Customer:
   1. (i) instructs Wellio (and authorises Wellio to instruct each Sub-processor) to Process Customer Personal Data; and
   2. (ii) agrees to the transfer of Customer Personal Data by Wellio,
   in accordance with the terms of this DPA and as reasonably necessary for the provision of the Services and consistent with the Agreement.

The Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in this clause.

2.4 Transfer of Personal Data

1. (a) The Customer acknowledges that Wellio may transfer and process Customer Personal Data in locations where Wellio, its affiliates, or its Sub-processors maintain data processing operations. Wellio will at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
2. (b) If the Customer Personal Data is protected under the UK GDPR, by entering into this DPA, to the extent Wellio's processing of Customer Personal Data involves a Restricted Transfer, the Customer agrees to Wellio's use of the International Data Transfer Agreement (IDTA) between Wellio Education UK Ltd (CRN 15605880) and Wellio Pty Ltd (ABN 651 471 555). Wellio will provide the IDTA to the Customer upon request. The IDTA will be incorporated by reference and form part of this DPA.
3. (c) If the Customer Personal Data is protected under the GDPR, by entering into this DPA, to the extent Wellio's processing of Customer Personal Data involves a Restricted Transfer, the Customer agrees to enter into Standard Contractual Clauses approved by the European Commission. In such instances, Wellio will provide the Standard Contractual Clauses to the Customer, and they will be incorporated by reference and form part of this DPA.

2.5 Wellio Personnel

1. (a) Wellio shall take reasonable steps to ensure that access to the Customer Personal Data is strictly limited to those employees, agents, and contractors who need to access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws. Wellio will ensure that all such individuals are subject to confidentiality obligations or professional or statutory obligations of confidentiality.
2. (b) Wellio will implement appropriate technical and organisational measures to ensure that its personnel only have access to such part or parts of the Customer Personal Data as is strictly necessary for the performance of their duties and obligations.

3. Security

1. (a) Taking into account the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Wellio will implement appropriate technical and organisational measures to ensure the Customer Personal Data is secured as appropriate and in particular from the risk of any accidental or unlawful destruction, loss, alteration, and any unauthorised disclosure or access, taking into account the risks associated with the Processing of the Customer Personal Data.
2. (b) Security measures will include, where appropriate, measures for the pseudonymisation and encryption of Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

4. Sub-processing

1. (a) The Customer authorises Wellio to appoint Sub-processors in accordance with this DPA.
2. (b) The Customer authorises Wellio to transfer Customer Personal Data to its affiliates and those Sub-processors currently engaged by Wellio as at the date of this DPA. A list of the Sub-processors engaged by Wellio and the purpose of their engagement may be provided upon request.
3. (c) The Customer authorises Wellio to engage other Sub-processors, provided that Wellio notifies the Customer of any new Sub-processors, either by providing written notice of the appointment of a Sub-processor or by providing the list of Sub-processors upon request, and provided that Wellio will ensure that each agreement it has with a Sub-processor is governed by a written contract with terms which provide the same level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of applicable Data Protection Laws.
4. (d) The Customer may object to the appointment of any new Sub-processor by Wellio within 30 days after notification by Wellio on the basis that such appointment would cause the Customer to breach Data Protection Laws. In the event of such objection, the parties will work in good faith to make reasonable changes to the Services to resolve the Customer's concerns.

5. Data Subject Rights

Wellio will:

1. (a) promptly notify the Customer if Wellio receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data;
2. (b) respond to any request from a Data Subject in accordance with the instructions of the Customer or as required by Data Protection Laws to which Wellio is subject; and
3. (c) provide reasonable assistance to the Customer in respect of any request from a Data Subject.

6. Personal Data Breach

1. (a) Wellio will notify the Customer promptly upon Wellio becoming aware of a Personal Data Breach affecting Customer Personal Data. Wellio will provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
2. (b) Wellio shall cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

7. Data Protection Impact Assessment and Prior Consultation

Wellio will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with any competent data privacy authorities, which the Customer reasonably considers to be required by applicable Data Protection Laws.

8. Deletion or Return of Customer Personal Data

Following expiration or termination of the Agreement and cessation of any Services involving the Processing of Customer Personal Data, and otherwise upon any direction from the Customer which is consistent with applicable Data Protection Laws, Wellio will delete or return to the Customer all Personal Data in Wellio's possession upon request as provided in the Agreement, and procure the same for all Sub-processors, except to the extent Wellio or a Sub-processor is required by applicable law to retain some or all of the Personal Data.

9. Jurisdiction-Specific Terms

To the extent Wellio processes Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annexure A, then the terms specified in Annexure A relating to the applicable jurisdiction(s) ("Jurisdiction-Specific Terms") apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms' applicability to Wellio.

10. Limitation of Liability

1. (a) To the maximum extent permitted by law, each party's liability arising out of or related to this DPA (including the Standard Contractual Clauses) is subject to the exclusions and limitations of liability set out in the Agreement.
2. (b) In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise limit liability that cannot be limited under applicable Data Protection Laws.

11. Further Acts

Wellio will upon request make available to the Customer all information necessary to demonstrate compliance with this DPA and permit any audit by the Customer in accordance with the Customer's rights of audit under applicable Data Protection Laws.

12. General

12.1 Definitions

1. (a) Wellio means:
   1. (i) if the Customer is established in Europe or the United Kingdom – Wellio Education UK Ltd (CRN 15605880);
   2. (ii) if the Customer is located in Australia or any other jurisdiction – Wellio Pty Ltd (ACN 651 471 555);
2. (b) Data Protection Laws means:
   1. (i) all data protection laws and regulations applicable to Europe, including the General Data Protection Regulation (GDPR) and applicable national implementations of the GDPR;
   2. (ii) the UK General Data Protection Regulation (UK GDPR) established by the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and includes any subsequent UK legislation substituted for or amending the UK GDPR and the Data Protection Act 2018;
   3. (iv) any other applicable data protection laws in jurisdictions where Wellio operates or processes data;
3. (c) Processor means an entity that processes Personal Data on behalf of a Controller, as defined in the GDPR and UK GDPR;
4. (d) Services means the services and content supplied by Wellio for the Customer, and the use by the Customer and the Data Subjects of the Wellio platform, pursuant to the Agreement;
5. (e) Standard Contractual Clauses means the contractual clauses adopted by the European Commission for the transfer of personal data from data controllers in the EU to data processors in jurisdictions outside the European Economic Area (EEA);
6. (f) Customer Personal Data means any Personal Data Processed by Wellio or a Sub-processor on behalf of the Customer pursuant to or in connection with the Agreement;
7. (g) Sub-processor means any person appointed by or on behalf of Wellio to Process Personal Data on behalf of the Customer in connection with the Agreement; and
8. (h) The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", and "Restricted Transfer" shall have the same meaning as in the GDPR and the UK GDPR.

12.2 Interpretation

1. (a) Capitalised terms not otherwise defined in this DPA have the meaning given to them in the Agreement.
2. (b) Except as modified by this DPA, the terms of the Agreement remain in full force and effect.

12.3 Entire Agreement

1. (a) This DPA constitutes the entire agreement between the parties regarding the matters set out in it and supersedes any prior representations, understandings, or arrangements made between the parties, whether orally or in writing.
2. (b) In the event of any conflict or inconsistency between this DPA and Wellio's Terms and Conditions, the provisions of the following documents (in order of precedence) shall prevail: (i) this DPA; and then (ii) Wellio's Terms and Conditions.

12.4 Waiver

A right created by this DPA cannot be waived except in writing signed by the party entitled to that right. Delay by a party in exercising a right does not constitute a waiver of that right, nor will a waiver (either wholly or in part) by a party of a right operate as a subsequent waiver of the same right or of any other right of that party.

12.5 Further Assurances

Each party must promptly execute all documents and do everything necessary or desirable to give full effect to the arrangements contained in this DPA.

12.6 Governing Law and Jurisdiction

1. (a) The laws of the country in which the Customer is established govern this DPA.
2. (b) The parties submit to the jurisdiction of the courts of the country in which the Customer is established.

12.7 Severance

If any clause or part of any clause is in any way unenforceable, invalid, or illegal, it is to be read down so as to be enforceable, valid, and legal. If this is not possible, the clause (or where possible, the offending part) is to be severed from this DPA without affecting the enforceability, validity, or legality of the remaining clauses (or parts of those clauses) which will continue in full force and effect.