Skip to main content

Effective: January 23, 2025

This Data Processing Agreement (“DPA”) is an addendum to the legal agreement between you (the “Customer”) and Motimate for your use of the Motimate Services (the “Agreement”).

1. Definitions

For the purposes of the DPA the following definitions apply;

Customer Personal Data” means the categories of Personal Data that are set out in Annex A to this DPA and that are Processed by Motimate on behalf of the Customer.

Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation or the “GDPR”) (ii) means the GDPR as it forms part of domestic law in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018; (iii) the Norwegian legislation implementing the GDPR; and (iv) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each as applicable and each as amended, consolidated or replaced from time to time.

New Sub-Processor” means any Sub-Processors engaged by Motimate after the effective date of the Agreement.

Personnel” means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.

SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries and/or, where applicable, the addendum to those standard contractual clauses or international data transfer agreement published by the Information Commissioner’s Office for data transfers from the UK.

Sensitive Data” means: (i) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, credit, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (v) account passwords; (vi) personal data relating to criminal convictions or offences, or (vii) other information that falls within the meaning of “special categories of data” or “sensitive data” under applicable Data Protection Laws.

Sub-Processor” means an entity to which Motimate subcontracts its processing of the Customer Personal Data to.

Data Subject”, “Controller”, “Personal Data”, “Personal Data Breach”, “Processing” (with “Process” and “Processed” to be construed accordingly) and “Processor” shall have the meaning provided to such term under the GDPR.

Supervisory Authority” shall have the meaning given to the term under the GDPR, or shall refer to the Information Commissioner’s Office to the extent the UK GDPR applies.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA and any relevant SCCs (where implemented in connection with the Agreement).

2. Roles and responsibilities

The parties acknowledge and agree that with regards to the Processing of Customer Personal Data in the course of providing the Services, Customer is the Controller and Motimate is a Processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).

In the course of providing the Services, Motimate shall Process Customer Personal Data only:

  • in accordance with Customer’s documented lawful instructions as set forth in this DPA; except when required to Process any Customer Personal Data: (i) in relation to any EU/EEA member state, by the laws of the EU/EEA or an EU/EEA member state; or (ii) in relation to the UK, by the laws applicable in the UK, in which case Motimate shall inform Customer in advance of such Processing, to the maximum extent permitted by applicable law, or as otherwise agreed in writing; and
  • to the extent necessary in connection with this DPA or the Services, including as described in Annex A below, (together, the “Permitted Purposes”).

If at any point, Motimate becomes unable to comply with Customer’s instructions regarding the Processing of Customer Personal Data (whether because Motimate believes that an instruction infringes the applicable law of the United Kingdom, or applicable EU/EEA law or national law of an EU/EEA Member State, or as a result of a change in applicable law, or a change in Customer’s instructions), Motimate shall reasonably promptly:

  • notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the extent permitted by applicable law; and
  • cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Motimate is able to comply.

The Customer shall: (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its Processing of Customer Personal Data and any Processing instructions issued to Motimate; and (ii) provide all notices and obtain all consents and rights necessary under Data Protection Laws for Motimate to Process Customer Personal Data for the purposes described in the Agreement. This DPA does not relieve the Customer’s obligations under Data Protection Law.

The Customer shall not provide (or cause to be provided) any Sensitive Data to Motimate for Processing under the Agreement, and Motimate will have no liability for Sensitive Data, whether in connection with a Personal Data Breach or otherwise.

Notwithstanding the foregoing, in the event that the Customer provides Sensitive Data to Motimate, Motimate shall not be obliged to Process such Sensitive Data.

3. Security

Subject to Section 8, Motimate will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, any other breach of security, and take reasonable steps to ensure a level of security appropriate to the risks arising from its Processing activities, in accordance with applicable Data Protection Law. The security measures shall at all times be designed to preserve the security and confidentiality of Customer Personal Data in accordance with Motimate’s security standards set out in Annex B to this DPA.

Motimate shall take reasonable steps to ensure: (i) that Customer Personal Data are kept confidential; and (ii) that all relevant Motimate Personnel and any relevant Sub-Processors have committed themselves to ensuring the confidentiality of all Customer Personal Data that they Process.

Motimate shall ensure that Customer Personal Data is solely Processed by Motimate’s Personnel who are authorized by Motimate to Process Customer Personal Data.

Customer is responsible for reviewing relevant information pertaining to data security as is made available by Motimate. Based on such information, the Customer shall make an independent assessment on whether the Motimate Service complies with the Customer’s obligations pursuant to applicable laws, including Data Protection Laws. Customer understands that Motimate’s security measures may be updated or modified as needed, provided that such updates and/or modifications do not negatively affect the overall level of security for the Motimate Services provided to Customer.

4. Personal Data Breach and other notifications

Motimate shall:

  • reasonably promptly notify the Customer of:
    • any confirmed Personal Data Breach affecting Customer Personal Data upon becoming aware thereof;
    • receipt of any correspondence or communication from any Data Subject or Supervisory Authority regarding the Processing of Customer Personal Data; and
  • promptly take reasonable steps to contain and investigate any Personal Data Breach affecting Customer Personal Data.

Motimate’s notification of, or response to, a Personal Data Breach under this Section 4 shall not be construed as an acknowledgment by Motimate of any fault or liability with respect to the Personal Data Breach.

5. Cooperation with the Customer

In respect of the Processing of Customer Personal Data, taking into account the nature of the Processing and the information available to Motimate, Motimate shall, at the Customer’s written request and expense, reasonably promptly assist the Customer with the Customer’s legal obligations under Data Protection Law by providing the Customer with any reasonable technical and organizational assistance necessary to:

  • implement appropriate technical and organizational measures for the purpose of complying with Data Protection Law;
  • enable the Customer to respond appropriately to requests from relevant Data Subjects to exercise their rights;
  • notify the appropriate Supervisory Authority and Data Subjects, where required, of any Personal Data Breach affecting Customer Data;
  • carry out data protection impact assessments where required by applicable Data Protection Law;
  • obtain any necessary authorizations from Supervisory Authorities where required by applicable Data Protection Law; and
  • conduct prior consultations with Supervisory Authorities where required by applicable Data Protection Law.

For the avoidance of doubt, Motimate shall be entitled to receive remuneration for any documented costs Motimate incurs in connection with its assistance under this Section 5.

6. Audit and compliance review

Motimate shall, in relation to its Processing of Customer Personal Data, maintain documentation of its compliance with this DPA and Data Protection Law, including written records of all Customer Personal Data Processed on behalf of the Customer. Motimate shall provide access to the aforementioned documentation upon the Customer’s reasonable notice.

At the Customer’s request and expense, Motimate shall: (i) promptly provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Law, to the extent that Motimate is reasonably able to provide such information; and (ii) subject to Section 8, allow for and contribute to audits, including inspections, conducted by the Customer of Motimate’s premises and security systems specific for Customer, as Customer may reasonably require to ascertain compliance with Data Protection Law.

The Parties shall agree on the timing of such audits, including the scope and methods for the audits. Unless otherwise agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the performance of such audits are necessary for the Customer’s compliance with Data Protection Law. The Customer shall give Motimate reasonable notice of the audit. The audit shall be conducted in a manner that causes the least possible disruption to Motimate’s ordinary operations. Further, all on-site audits shall be restricted to Motimate’s standard opening hours, and Motimate shall provide the Customer with copies of Motimate’s then-current policies and procedures regarding access to its premises, and the Customer shall procure that all Personnel involved in such on-site audits shall abide by such policies and procedures at all times. The audit result shall be documented appropriately. No provision of this DPA shall entitle Customer, or any auditor, to access confidential information of Motimate or any third party. Motimate may object to any third-party auditor appointed by Customer if the auditor is, in Motimate’s reasonable opinion: (i) not suitably qualified or independent; (ii) a competitor, or affiliate of a competitor, of Motimate; or (iii) otherwise manifestly unsuitable for the role. Any such objection by Motimate will require Customer to appoint another auditor or conduct the audit itself.

The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense. The relevant third party may not be a competitor of Motimate.

Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the Customer. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that Motimate is in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be borne by Motimate.

7. Use of Sub-Processors

The Customer hereby grants Motimate a general authorization to subcontract its processing of the Customer Personal Data to a Sub-Processor, subject to this Section 7.

Motimate shall take reasonable steps to ensure that, in each instance in which it engages a Sub-Processor to Process any Customer Personal Data, it shall: (i) appoint such Sub-Processors in accordance with the Customer’s prior authorization as granted above; and (ii) use commercially reasonable efforts to enter into a written agreement with each Sub-Processor, requiring the Sub-Processor to comply with data protection obligations equivalent in all material respects to those imposed on Customer under this DPA with respect to the Processing of Customer Personal Data.

Motimate shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA and for any acts or omissions of such Sub-Processors that cause Motimate to breach any of its obligations under this DPA.

Motimate will inform the Customer if Motimate intends to appoint or use a New Sub-Processor to the extent applicable to the Processing of Customer Personal Data by updating the list of Motimate’s current Sub-Processors available in Annex C herein. If the Customer has reasonable grounds to object to Motimate’s use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under Data Protection Law, the Customer shall notify Motimate thereof in writing within fifteen (15) calendar days after receipt of Motimate’s notice.

Following such an objection from the Customer, Motimate shall be entitled to terminate the Agreement for convenience without being obligated to refund any amounts that the Customer has already paid, to the fullest extent permitted under applicable law.

8. Obligations of Customer

Customer warrants that it shall at all times comply with its obligations under Data Protection Laws in respect of Motimate’s engagement to Process any Customer Personal Data.

Customer acknowledges that the security measures set out in Annex B below are sufficient for the purposes of Processing the Customer Personal Data under this DPA.

Customer shall not, whether through action or omission, place Motimate in breach of any Data Protection Laws.

9. International Transfers

Customer agrees that Motimate shall be entitled to transfer and Process Customer Personal Data within the EU/EEA and the UK.

Subject to Section 7, Customer acknowledges that Motimate may transfer and Process Customer Personal Data to areas outside the EU/EEA/UK. Motimate shall take all reasonable steps to ensure that such transfers are made in compliance with the requirements of the Agreement, this DPA and Data Protection Law.

To the extent that Motimate transfers Customer Personal Data protected by Data Protection Laws to a country outside of EU/EEA/UK that is not recognized as providing an adequate level of protection for personal data (as described in applicable Data Protection Law), Motimate shall ensure that the transfer is based on the appropriate version(s) of the SCCs. Motimate shall enter into written agreement including appropriate SCCs with all of Motimate’s Sub-Processors that might Process Customer Data outside the EU/EEA/UK, and shall require that its Sub-Processors abide by and Process Data in compliance with the SCCs.

10. Return or Deletion of Data

Upon termination of the Agreement, Motimate shall delete or return to Customer, at Customer’s choice, all Customer Personal Data in Motimate’s possession or control within sixty (60) days after the termination. This requirement shall not apply to the extent Motimate is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in back-up systems, which Motimate shall securely isolate, protect from any further Processing and eventually delete in accordance with Motimate´s deletion policies, except to the extent required by applicable law.

Annex A – Details of Data Processing

Processor:
Motimate is the Processor of Customer Personal Data.

Controller:
The Customer is the Controller of Customer Personal Data.

Subject matter:
Processing of Customer Personal Data by Motimate on behalf of the Customer under, or in connection with, the Agreement.

Duration of Processing:
Motimate will Process Customer Personal Data as outlined in Section 10 (Return or Deletion of Data) of this DPA.

Purposes of Processing:
Motimate shall only Process Customer Personal Data for the following purposes: (i) Processing as necessary to provide the Motimate Services in accordance with, or in connection with, the Agreement; (ii) Processing initiated by Customer in its use of the Motimate Services; and (iii) Processing to comply with any other reasonable instructions by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.

Nature of the Processing:
Motimate provides a learning platform, and related services, that allows users to create and upload content, create or engage with courses and invite others to engage with courses, as more particularly described in the Agreement.

Data Subjects:
Any user the Customer invites into the Services, such as Customer personnel.

Categories of Customer Personal Data:
The Customer may upload, submit or otherwise provide certain Personal Data to or for the use of the Services, the extent of which is typically determined and controlled by the Customer in its sole discretion, and may include email addresses (required for login), organization (required), username, name, location, picture, video, user activity, and profile bio.

Sensitive Data:
It is not the intention of either Party that Motimate should Process any Sensitive Data as part of the provision of the Services.

Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 3 of this DPA).

Annex C – Sub-processors

ActiveName of serviceData locationDescription of processingCompany name and address
HerokuIrelandServer hostingSFDC Ireland Limited, Registration in Ireland with company no.: 3942723rd and 4th Floor, 1 Central Park Block G, Central Park, Leopardstown 18, Dublin, Ireland
AWSIreland and SwedenDatabase, file and backup storage, transfer of employee data files. Email notifications.Amazon Web Services EMEA, SARL38 avenue John F. Kennedy, L-1855 Luxembourg
Amazon Web Services EMEA SARL, Norwegian Branch
ElasticsearchIrelandAnalytics engine used for ReportsElasticsearch AS, Postboks 5391373 Asker, Norway
Cloudinary  Ireland and SwedenImage/video storage, processing and servingCloudinary Ltd. Media management in the Cloud Company VAT ID: 514821933
Optional-only applicable for Customers who have opted in to the  “learning locker”/”X API”Atlas IrelandLearning locker, Parse serverMongoDB Limited, Building Two, Number One Ballsbridge, Ballsbridge, Dublin 4, Ireland
TwilioEU data centersSMS sending, and backup email relayTwilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Dublin, Ireland D01 C4E0
FirebaseEU data centersSend push notifications from the Motimate app, control customers’ features. Only access to technical data, such as Device ID.Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Dublin, Ireland
VercelUSAOptimize performance of the Motimate app. Only processes technical data, such as IP addresses, but these are not stored.Vercel inc., 440 N Barranca Ave Pmb 4133 Covina, CA, 91723-1722 United States
ZendeskEU data centersProvision of support and other customer dialogueZendesk, inc.,989 Market St San Francisco, CA 94103 United States
✓ (Optional – only applicable when requested by the customer)ConnXio EUImport customer dataEvidi AS, Rådhusgata 5, 0151 Oslo, Norway
✓ (Optional – only applicable when requested by the customer)Microsoft CorporationEUMicrosoft Excel: assist customers with creating accounts for end users
Microsoft 365:  Communications and file sharing with Customers
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 USA
✓ (Optional – only applicable when requested by the customer)Google Cloud EMEA LimitedEUAssist customers with creating accounts for the end users. Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
✓ (Optional – only applicable when requested by the customer)1Password (AgileBits inc.)USA Provide passwords, share files with customers1password, 901 Fifth Avenue, Suite 1200, Seattle, WA 98164, USA
✓ (Optional – only applicable when requested by the customer)Zapier, Inc. USADelete customer and end user dataZapier, Inc. 548 Market Street, #62411, USA
✓ (Optional, only applicable when activated by the user)Microsoft AzureEUAI-generated translation of Motis. More information about Motimate’s use of AI translation found here.Microsoft Azure, One Microsoft Way, Redmond, WA 98052 USA
Kahoot! AS and subsidiariesEUProvision of supportKahoot! AS, Kronprinsesse Märthas plass 1, 0160 Oslo, Norway

Archived Data Processing Agreements:

Archived DPA Effective through: January 22, 2025

Your new message

How Adaptive Learning Principles can help you Create Personalized Learning Experiences

Today, we know that different people learn in different ways and at different speeds, which is why adaptive learning theory is becoming increasingly popular. Find out these principles can help you Create personalized learning experiences.

Learn more about How Adaptive Learning Principles can help you Create Personalized Learning Experiences
Icon set not found