ELSA SCHOOL DATA PROCESSING ADDENDUM

Last Updated: 6/11/2026

This Data Processing Addendum (“DPA”) is incorporated by reference into and forms an integral and inseparable part of the ELSA School Agreement governing the use of our services (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (collectively, “you”, “your”, “Customer”), and the ELSA entity set forth in the Agreement (“ELSA”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by ELSA solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

By using the Services, Customer accepts this DPA and you represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to comply with and be bound by this DPA, or do not have the authority to bind the Customer or any other entity, please do not provide Personal Data to us.

In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.

1. DEFINITIONS
   1. Definitions:
      1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
      2. “Authorized Affiliate” means any of Customer’s Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and ELSA but has not signed its own agreement with ELSA and is not a “Customer” as defined under the Agreement.
      3. “Data Subject” means an identified or identifiable natural person.
      4. “Data Protection Laws” Japan’s Act on the Protection of Personal Information, Act No. 57 of 2003, as it may be amended from time to time (APPI).
      5. “Onward Transfer” means the onward transfer of Personal Data by ELSA to a Sub-processor or ELSA Affiliate.
      6. “Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, ,including any such information that is compiled in a personal information database or the equivalent under the APPI, which is processed by ELSA solely on behalf of Customer, under this DPA and the Agreement and as detailed in Schedule 1 attached hereto.
      7. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
      8. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      9. “Services” means the services provided to Customer by ELSA in accordance with the Agreement.
      10. “Security Documentation” means the security measures applicable to the Services purchased by Customer, which at a minimum will include the provisions described in Schedule 2 attached hereto.
      11. “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “special-case personal information” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, creed, social status, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal records or the fact of having suffered damage by a crime; and/or (e) account passwords in unhashed form.
      12. “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of ELSA, including affiliates.
2. PROCESSING OF PERSONAL DATA
   1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data described in Schedule 1, Customer is the entity determining independently the determines the purposes and means of the Processing of the Personal Data; and acts as a business operator handling personal information under the APPI with regards to the Personal Data discussed in this DPA. ELSA Processes the Personal Data solely on behalf of the Customer, strictly on Customer’s instructions and for the purposes set by Customer.
   2. Customer’s Processing of Personal Data. Customer, in its use of the Services, and Customer’s instructions to ELSA, shall comply with Data Protection Laws.
   3. Without limiting the foregoing, Customer shall be solely responsible for complying with Articles 17-18, 20(2), 21-22, 26-31, 32(2), and 33-35 of the APPI with respect to the Processing of Personal Data under this DPA, taking into account the nature of such Processing and ELSA’s role as detailed above in provision 2.1.
   4. Customer is exclusively responsible for fulfilling any transparency requirements and will provide all necessary notices to relevant Data Subjects, including a description of the Services as appropriate to the age of the Data Subject, and secure all necessary permissions and consents, or other applicable lawful grounds for Processing Personal Data, including Sensitive Data, by ELSA pursuant to this DPA and under Data Protection Laws, and shall indemnify, defend and hold harmless any claim, damages or fine against ELSA arising from any failure to process the Personal Data with legal consent, basis or legitimate business purpose or in violation of any Data Protection Laws.
   5. If ELSA will use a provider of AI systems with terms that impose age limitations on the use of their services, ELSA will inform Customer in advance of any Processing by said provider – and the parties will work to amend the Agreement appropriately.
   6. ELSA’s Processing of Personal Data. When Processing Personal Data on Customer’s behalf under the Agreement, ELSA shall Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing for Customer as part of its provision of the Services; (iii) Processing to comply with Customer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement; (v) Processing as required under the laws applicable to ELSA, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that ELSA shall inform Customer of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.
   7. ELSA shall inform Customer without undue delay if, in ELSA’s opinion, an instruction for the Processing of Personal Data given by Customer infringes applicable Data Protection Laws. To the extent that ELSA cannot comply with an instruction from Customer, ELSA (i) shall inform Customer, providing relevant details of the issue, (ii) ELSA may, without liability to Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend Customer’s access to the Services, and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Customer may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to ELSA all the amounts owed to ELSA or due before the date of termination. Customer will have no further claims against ELSA (including, without limitation, requesting refunds for Services) pursuant to the termination of the Agreement and the DPA as described in this paragraph.
   8. Details of the Processing. The subject-matter of Processing of Personal Data by ELSA is the performance of the Services pursuant to the Agreement and the purposes set forth in this DPA. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
   9. Sensitive Data. The Parties agree that the Services are not intended for the processing of Sensitive Data, and that Customer shall not include any Sensitive Data in the Personal Data processed under this DPA.
3. DATA SUBJECT REQUESTS. Customer is exclusively responsible for responding, reviewing, and fulfilling any request from a Data Subject to exercise their rights under Data Protection Laws concerning the Personal Data Processed under this DPA (“Data Subject Request”). ELSA shall, to the extent legally permitted, notify Customer or refer Data Subjects to Customer, if ELSA receives a Data Subject Request. Taking into account the nature of the Processing, ELSA shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfillment of Customer’s obligation to respond to Data Subject Requests under Data Protection Laws.
4. CONFIDENTIALITY. ELSA shall ensure that its personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality and appropriate trainings.
5. SUB-PROCESSORS
   1. Appointment of Sub-processors. Customer acknowledges and agrees that (a) ELSA may engage Sub-processors to Process Personal Data on behalf of Customer; (b) ELSA’s Affiliates may be engaged as Sub-processors; and (c) ELSA and ELSA’s Affiliates on behalf of ELSA may each engage third-party Sub-processors in connection with the provision of the Services. A list of Sub-processors currently used by ELSA is provided here (“Sub-Processor List”). The Sub-Processor List as of the date of first use of the Services by Customer is hereby deemed authorized upon first use of the Services.
   2. Agreements with Sub-processors. ELSA or ELSA’s Affiliate on behalf of ELSA has entered into a written agreement with each Sub-processor containing appropriate safeguards for the protection of Personal Data. Where ELSA engages a Sub-processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-processor by way of a contract, in particular obligations to implement appropriate technical and organizational measures in such as a manner that the Processing will meet the requirements of the relevant Data Protection Laws. Where a Sub-processor fails to fulfill its data protection obligations concerning its Processing of Personal Data, ELSA shall remain responsible for the performance of the Sub-processor’s obligations.
   3. Notification and Objection to New Sub-processors. ELSA may engage with a new Sub-processor (“New Sub-processor“) to Process Personal Data in connection with the provision of the Services. Customer shall subscribe to ELSA’s notifications regarding new Sub-processors using the ELSA Trust Center. After requesting ‘Access’, Customer can sign up for notifications using the bell icon in the top right corner of the Trust Center. ELSA shall give notice of the planned appointment of any new Sub-processor(s). Customer may object to the Processing of Personal Data by the New Sub-processor, for reasonable and explained grounds relating to the protection of Personal Data, by providing a written objection to privacy@elsanow.io within 10 days following notification to Customer of the engagement with the New Sub-processor. If Customer sends ELSA a written objection notice in a timely manner, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, ELSA will make commercially reasonable efforts to provide Customer with the same level of Services, without using the New Sub-processor to Process Personal Data.
6. SECURITY & AUDITS
   1. Controls for the Protection of Personal Data. ELSA shall maintain industry-standard technical and organizational measures for protection of Personal Data, including those measures set forth in the Security Documentation.
   2. Audits and Inspections. Upon Customer’s 14 days prior written request at reasonable intervals (no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, ELSA shall make available to Customer that is not a competitor of ELSA (or Customer’s independent, reputable, third-party auditor that is not a competitor of ELSA and not in conflict with ELSA, subject to their confidentiality and non-compete undertakings) information necessary to demonstrate that Personal Data is Processed in a manner consistent with ELSA’s obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by them (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without ELSA’s prior written approval. Upon ELSA’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by ELSA in the context of the audit and/or the inspection).
   3. In the event of an audit or inspections as set forth above, Customer shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury or disruption to ELSA’s premises, equipment, personnel and business while conducting such audit or inspection.
   4. In the event that such audit or inspection uncovers unauthorized Processing of Personal Data, Customer shall have the right to, upon notice, take reasonable and appropriate steps to stop and remediate such unauthorized Processing.
   5. The audit rights set forth in ‎6.2 above, shall only apply to the extent that the Agreement does not otherwise provide Customer with audit rights that meet the relevant requirements of Data Protection Laws.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
   ELSA maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of a Personal Data Breach involving Personal Data Processed by ELSA on behalf of the Customer. ELSA shall make reasonable efforts to identify and take those steps as ELSA deems necessary and reasonable in order to remediate and/or mitigate the cause of such breach. Unless required otherwise by any applicable laws, each party shall use reasonable efforts to consult with the other party before publicly communicating or publishing any materials (including press releases, reports or notices) directly mentioning the other party in connection with any Personal Data Breach. In the case of public communication or the publishing of any materials as required by applicable laws, unless prohibited by such laws, the disclosing party shall provide the other party with reasonable prior written notice to allow the opportunity to object to such disclosure and in any case, any disclosure shall be will limited to the minimum scope required. For the avoidance of doubt, including but not limited to for the purposes of complying with the APPI, Customer is exclusively responsible for assessing the requirement for and then providing any notifications regarding the Personal Data Breach to Data Subjects and supervisory authorities.
8. RETURN AND DELETION OF PERSONAL DATA
   Schedule 1 of this DPA shall detail if the Services, or any specific feature of the Services, or any specific data types in the Services are expressly designated by ELSA as subject to zero data retention (“ZDR”), except to the extent strictly necessary to provide the Services in real time, comply with applicable law, maintain security, prevent abuse, or establish, exercise or defend legal claims. To the extent any Personal Data is retained by ELSA in accordance with this DPA (i.e. not subject to ZDR), ELSA shall delete all the Personal Data it Processes solely on behalf of the Customer unless Data Protection Laws require otherwise within 90 days following termination of the Agreement and subject thereto. To the extent authorized or required by applicable law, ELSA may also retain one copy of the Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
9. CROSS-BORDER DATA TRANSFERS
   1. ELSA shall ensure that Personal Data processed under this DPA is stored in Japan, except as otherwise expressly agreed in writing with Customer or as required by applicable law.
   2. In the event of any Onward Transfer by ELSA, it shall procure that the Sub-processor to which the Personal Data is transferred to, provides sufficient guarantees to protect the Personal Data, and observes no less onerous obligations as those imposed on ELSA under the original relevant transfer and adopts the necessary transfer mechanism.
   3. ELSA represents and warrants that any Personal Data originating from Japan that is transferred to countries outside the EEA and UK shall be subject to privacy, data protection and data security safeguards that are no less onerous than the ones that apply under the APPI.
10. AUTHORIZED AFFILIATES
    1. Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Customer’s obligations under this DPA, if and to the extent that ELSA Processes Personal Data on the behalf of such Authorized Affiliates as described in provision 2.1 in this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
    2. Communication. Customer shall remain responsible for coordinating all communication with ELSA under the Agreement and this DPA, including for Authorized Affiliates, and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
11. Data Protection Impact Assessment and Prior Consultation. Upon Customer’s reasonable request, ELSA shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment or data protection assessment (as applicable) related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to ELSA. ELSA shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with supervisory authorities in the performance of its tasks relating to this Section 11, to the extent required under the applicable Data Protection Laws.
12. Governing Law. To the maximum extent permitted by law, this DPA shall be governed by the laws governing the Agreement, except for those provisions of clauses which dictate the application of another law for particular purposes.
13. Modifications. Each Party may request in writing variations to this DPA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Personal Data to be made (or continue to be made) in accordance with the Agreement or this DPA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification request that the other Party believes is necessary.

SCHEDULE 1 – DETAILS OF THE PROCESSING

Nature and Purpose of Processing

As detailed in clause 2.6 of this DPA.

Duration of Processing

Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, ELSA will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless agreed otherwise in writing.

Type of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. The Services are not intended for the processing of Sensitive Data.

Categories of Data Subjects

Anyone the Customer has authorized for use of the Services.

ZDR

Zero Data Retention (“ZDR“) applies to real-time AI inference processing, including spoken input and AI-generated feedback transmitted to and from ELSA’s AI system providers, where ELSA maintains ZDR agreements with such providers.

SCHEDULE 2 – SECURITY MEASURES

ELSA shall implement and maintain current and appropriate technical and organizational measures to protect the Personal Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access, as set forth below. These measures shall be reviewed and updated as necessary but shall, at a minimum, include the following:

1. Provide third-party attestation of static or dynamic application security testing or penetration testing on all software or systems Processing Personal Data, remediate any identified high vulnerabilities, provide written remediation plans for medium and low vulnerabilities.
2. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, of Personal Data as appropriate to the nature of the Personal Data Processed;
3. Oblige its employees, agents or other persons to whom it provides access to the Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Personal Data; provide annual training to staff in order to meet the security requirements contained herein;
4. Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of its systems and services;
5. Adhere password policies for standard and privileged accounts consistent with industry best practices;
6. Ensure that only those personnel who need to have access to Personal Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing the services and the obligations under this DPA;
7. Maintain a physical security program that is consistent with industry best practices;
8. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Personal Data, if applicable, is securely erased or destroyed before repurposing or disposal.