Data Processing Agreement

Last Updated:  August 11, 2022


This Patch High School News (“Patch HSN”) Data Processing Agreement (the “DPA”) contains the agreement between Patch HSN and you with respect to the Processing of Personal Data by Patch HSN on behalf of you in connection with the Services provided by Patch HSN under the Patch HSN Terms of Service (also referred to as the “Terms”)

This DPA is supplemental to, and is incorporated within, the Terms.  Capitalized terms (and you, whether or not capitalized) not otherwise defined in this DPA have the meanings set forth in the Terms.  Patch HSN may update or modify this DPA from time-to-time, effective upon posting to the Patch HSN website here.  We will update the “Last Updated” date when we do so and, if you are receiving Services at the time of the update or modification we will use commercially reasonable efforts to notify you of the update or modification by email or through your Dashboard.  Your access to and use of the Services after the date any update or modification is posted is subject to the updated or modified DPA, so if you do not agree to any update or modification, you must stop using the Services.  

  • 1. Subject Matter and Duration.
  • Subject Matter. This DPA applies to the Processing of Personal Data by Patch HSN in connection with the Services. If and to the extent any provision in this DPA conflicts with the Terms or any other agreement(s), written or otherwise, between you and Patch HSN, this DPA will control.
  • Duration and Survival. This DPA is legally binding upon you on the date that that you accept  the Terms, and will apply to any data processed by Patch HSN in connection with the Services, whether before, on or after such date. Each party’s rights and obligations under this DPA will continue in effect so long as Patch HSN Processes Personal Data in connection with Services provided to you. 

2. Definitions. 

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

  1. Personal Data” means Personal Data collected or obtained by Patch HSN in connection with the Services provided to you under the Terms.   
  2. Data Protection Laws” means applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Personal Data is subject.
  3. Personal Data” means any information that is information protected as personal data or personal information under any applicable Data Protection Law(s).  
  4. Process” or “Processing” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  5. Security Incident(s)” means any actual or suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. 
  6. Services” has the meaning set forth in the Terms. 
  7. Third Party(ies)” means Patch HSN’s authorized contractors, agents, vendors and third party service providers (i.e., sub-processors) that Process Personal Data.

3. Data Use and Processing.

  1. Instructions.  The Terms and this DPA, together with your use of the Services under the Terms, constitute your complete instructions to Patch HSN in relation to the Processing of Personal Data.  You may provide additional instructions during the term of the Terms, provided that such instructions are consistent with the Terms and the nature of and lawful use of the Services.  
  2. Processing. Patch HSN and its Third Parties shall Process Personal Data for the purpose of providing the Services and as we may otherwise agree in writing in accordance with your lawful instructions, except as may be otherwise required under applicable law(s). You understand that Patch HSN is not responsible for compliance with any Data Protection Laws that are applicable to you or your industry but that are not generally applicable to Patch HSN. Patch HSN will, unless legally prohibited from doing so, inform you in writing if it reasonably believes that there is a conflict between your instructions and applicable law or otherwise seeks to Process Personal Data in a manner that is inconsistent with your instructions.  Notwithstanding the foregoing and for the avoidance of doubt, you are solely responsible for ensuring that your instructions comply with all applicable Data Protection Laws and other laws. 
  3. Authorization to Use Third Parties. You hereby authorize Patch HSN to engage Third Parties and such Third Parties to engage sub-processors for the purpose of providing the Services. 
  4. Patch HSN and Third Party Compliance. Patch HSN shall (i) enter into a written agreement with Third Parties that imposes on such Third Parties (and their sub-processors) data protection and security requirements for Personal Data that are consistent with the obligations in this DPA; and (ii) remain responsible to you for Patch HSN’s Third Parties’ failure to perform their obligations with respect to the Processing of Personal Data.
  5. Right to Object to Third Parties. Patch HSN shall make available to you a list of Third Parties that Process Personal Data upon reasonable request. Upon request by you, prior to engaging any new Third Parties that Process Personal Data, Patch HSN will notify you via email and allow you thirty (30) days to object. If you have legitimate objections to the appointment of any new Third Party, you and Patch HSN will work together in good faith to resolve the grounds for the objection and if we are not able to resolve such objection, you may terminate the Services as provided in the Terms. 
  6. Confidentiality. Any person or Third Party authorized to Process Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality. 
  7. Personal Data Inquiries and Requests. Patch HSN agrees to use commercially reasonable efforts to provide assistance to you with respect to any requests from individuals exercising rights in Personal Data granted to such individuals under Data Protection Laws.  You agree to reimburse Patch HSN for costs incurred by Patch HSN in connection with such assistance. 
  8. Data Protection Impact Assessment and Prior Consultation.  To the extent that the required information is reasonably available to Patch HSN and you do not otherwise have access to such required information, Patch HSN agrees to provide reasonable assistance to you with respect to any data protection impact assessment and/or prior consultation with the relevant data protection authorities required under any applicable Data Protection Law.
  9. Demonstrable Compliance. Patch HSN agrees to keep records of its Processing in compliance with Data Protection Laws and provide any necessary records to you to demonstrate compliance upon reasonable request.

4. Information Security Program

  1. Patch HSN agrees to implement appropriate technical and organizational measures to protect Personal Data as required under applicable Data Protection Laws (the “Information Security Program”).  Such measures may include, as required under such Data Protection Laws: 
  1. Pseudonymisation of Personal Data and encryption of Personal Data in transit and at rest; 
  2. The ability to ensure the ongoing confidentiality, integrity, availability of Patch HSN’s Processing and Personal Data; 
  3. Ensuring access to Personal Data is being audited and granted in a consistent manner aligned with the principle of least privilege;
  4. Ensuring Personal Data is used only in the manner set forth in the Terms and this DPA, and that any other uses are prohibited without advance written approval by you; 
  5. The ability to restore the availability and access to Personal Data in the event of a physical or technical incident; and
  6. A process for regularly evaluating and testing the effectiveness of Patch HSN’s Information Security Program to ensure the security of Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.  

5. Security Incidents. 

  1. Security Incident Procedure. Patch HSN will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Personal Data in a timely manner. 
  2. Notice. Unless prohibited by law, Patch HSN agrees to provide prompt written notice without undue delay to your Admin if it knows or reasonably suspects that a Security Incident has taken place. A delay in giving such notice that is requested by law enforcement and/or in light of Patch HSN’s legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Such notice will include available details required under Data Protection Laws for you to comply with your own notification obligations to regulatory authorities or individuals affected by the Security Incident under applicable Data Protection Laws. Patch HSN’s notification to you of any Security Incident will not be construed as an acknowledgement by Patch HSN of any fault or responsibility with respect or in connection with such Security Incident.

6. Audits. 

  1. Right to Audit; Permitted Audits. To the extent that applicable Data Protection Laws include a right for you to audit Patch HSN’s Processing of Personal Data, subject to Section 6(b), Patch HSN will make available to you on request all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to reasonable audits, including inspections of Patch HSN (and any subprocessor of Patch HSN that Processes Personal Data) facilities, premises or service, by an independent auditor selected by you, solely in relation to the Processing of Personal Data.  Any audit will be conducted no more than once in any calendar year and at your sole expense.  
  2. Notice. You will give Patch HSN reasonable written notice of any audit or inspection to be conducted under Section 6(a) and will make (and ensure that each of your auditors makes) reasonable efforts to avoid disruption to Patch HSN 's (or any subprocessor of Patch HSN 's) premises, equipment, personnel and business in the course of such an audit or inspection.
  3. Audit Results. Upon request by Patch HSN, after conducting an audit you will provide Patch HSN with any audit report(s) and other results of such audit.  You may use audit reports and results only for the purposes of meeting your regulatory audit requirements and confirming that Patch HSN’s Processing of Personal Data complies with this DPA and applicable Data Protection Laws.  


7. Data Storage and Deletion.

  1. Data Storage. Patch HSN will not store or retain any Personal Data except as necessary to perform the Services under the Terms and as necessary for Patch HSN’s business records and as required under applicable laws. 
  2. Data Deletion. Patch HSN will use commercially reasonable efforts to delete Personal Data Processed by Patch HSN within thirty (30) days after the date Patch HSN ceases providing Services to you under the Terms, except where Patch HSN is required or allowed to retain such Personal Data under applicable law, or where such Personal Data has been stored on Patch HSN back-up systems, in which case such Personal Data will not be subject to further Processing and will be deleted in accordance with Patch HSN’s business practices.

8. Your Responsibilities.  You will be responsible for complying with all requirements applicable to you under Data Protection Laws with respect to Processing of Personal Data and your instructions to Patch HSN, including, without limitation (a) the accuracy, quality and legality of Personal Data you provide to Patch HSN and the means by which you acquire such Personal Data; (b) complying with all transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring that you have the right to transfer, or provide access to, the Personal Data to Patch HSN for Processing in accordance with the Terms and this DPA; and (d) ensuring that your Instructions to Patch HSN regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws.  You will promptly inform Patch HSN in writing if you are not able to comply with your responsibilities under this DPA.  You are responsible for independently determining whether the data security and other measures provided for with respect to the Services meet your obligations under Data Protection Laws.  

9. Contact Information.

  1. Your designed point of contact for urgent privacy and security issues (“Designated POC”) will be the Admin under the Terms.  Patch HSN’s Designated POC will be highschoolnews@patch.com

Contact Us|Terms of Use|Privacy Policy