Updated: May 10, 2024

This Data Protection Addendum (the “DPA”) is part of Candidly’s Customer Terms of Service and is incorporated therein by this reference. Capitalized terms used but not otherwise defined in this DPA have the meanings set forth in the Customer Terms of Service.


1. Definitions

a. “Data Protection Laws” means all applicable laws, regulations, or other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, or the Processing of Customer Personal Data, including without limitation, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), the Colorado Privacy Act and related regulations (“CPA”), the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CPDPA”), the Utah Consumer Privacy Act (“UCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the existing or hereinafter enacted commensurable laws and regulations of other U.S. states. The terms “Business,” “Controller,” “Data Subject,” “Processor,” and “Service Provider” have the meanings given to them in Data Protection Laws. For the avoidance of doubt, if Candidly’s Processing activities involving Customer Personal Data are not within the scope of a Data Protection Law, such law is not applicable for purposes of this DPA.

b. “Incident” means any unauthorized or unlawful access to or acquisition, destruction, loss, alteration, or disclosure of Customer Personal Data occurring on Candidly’s systems or otherwise under Candidly’s control.

c. “Personal Data” means data that relates to an identified or identifiable Data Subject. Any Personal Data that Candidly Processes on behalf of Customer under the Agreement will be referred to as “Customer Personal Data” in this DPA.

d. “Process” (including “Processing,” “Processed,” etc.) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

e. “Purpose” means the provision of Services to Customer, including, without limitation, creating reporting for Customer in connection with the performance of the Services, and the operation of the Platform for Data Subjects, including, without limitation, powering user experiences on the Platform, providing customer support, and performing analytic, auditing, operational, research, risk management, and technical activities to administer, deliver, develop, improve, or maintain the Platform or Services.

f. “Subcontractor” means any third party engaged by Candidly to perform services that include the Processing of Customer Personal Data.

2. Customer Personal Data Processing

a. Scope. Customer may disclose Customer Personal Data to Candidly solely for the Purpose. Candidly will Process Customer Personal Data solely to fulfill its obligations to Customer under the Agreement, including this DPA, and on Customer’s behalf. This DPA applies to Customer Personal Data Processed by Candidly while acting in the capacity of a Service Provider, and Customer acts in the capacity of either a Business or Service Provider in connection with the Purpose. Further details regarding Candidly’s Processing operations, including the purposes for Processing Customer Data, are set forth in Exhibit A. Notwithstanding the foregoing, Candidly is a Business or Controller (i) for Personal Data it obtains when a Customer employee creates a direct relationship with Candidly and (ii) for Personal Data used to administer Customer’s account (such as admin contact information and billing information). Candidly will Process such Personal Data pursuant to its Privacy Statement, and that Processing is not subject to this DPA.

b. Use. Candidly will not (i) “sell,” or “share” for purposes of “cross-contextual behavioral advertising” or “targeted advertising,” Customer Personal Data (as such terms in quotation marks are defined in applicable Data Protection Laws); (ii) retain, use, transmit, or disclose Customer Personal Data other than for the Purpose; (iii) combine Customer Personal Data with Personal Data received from another source, except to the extent permitted by Data Protection Laws; or (iv) otherwise Process Customer Personal Data for any purpose other than the Purpose and specific purposes set forth herein or outside of the direct business relationship with Customer. Candidly will treat Customer Personal Data as Confidential Information and will Process Customer Personal Data on behalf of and only in accordance with Customer’s documented instructions for the Purpose as follows: (1) Processing in accordance with the Agreement and applicable Order Form(s); (2) Processing Customer’s documented reasonable instructions (e.g., emailed directions), consistent with the terms of the Agreement; or (3) as otherwise permitted by Data Protection Laws (for example, to comply with Candidly’s legal obligations).

c. Compliance. Both Candidly and Customer will Process, and instruct Processing of, Customer Personal Data in accordance with the requirements of Data Protection Laws, including, without limitation, any applicable requirement on Customer to provide notice to Data Subjects of the use of Candidly as Processor. Candidly will provide the same level of protection for Customer Personal Data as is required under Data Protection Laws applicable to Customer.

d. Provision. Customer is responsible for the accuracy, quality, and legality of provided Customer Personal Data (it being acknowledged and agreed that Data Subjects will have the ability to update, correct, or manually upload certain Customer Personal Data on the Platform, and that any information provided by Data Subjects belongs to and is the responsibility of the Data Subjects) and the means by which Customer acquired Customer Personal Data. Customer authorizes Candidly to transfer a Data Subject’s Personal Data (e.g., address, phone number, etc.) to subsequent employers upon a Data Subject’s request, provided that the transferred data does not and cannot identify Customer.

e. Data Subject Rights. Candidly will provide reasonable assistance to and cooperate with Customer to respond to and address verifiable Data Subject requests made pursuant to Data Protection Laws. Customer will inform Candidly of relevant Data Subject requests made pursuant to Data Protection Laws and provide any information necessary for Candidly to comply with such request.

f. Consultations. Candidly will provide reasonable assistance to and cooperation with Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Customer Personal Data, and notify Customer of (i) any third-party complaints regarding the Processing of Customer Personal Data; or (ii) any government requests for access to or information about Candidly’s Processing of Customer Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws.

g. Data Protection Impact Assessments. Candidly will provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Personal Data, when required by applicable Data Protection Laws, and at Customer’s reasonable expense.

h. Notice Related to Processing Obligations. Candidly shall notify Customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes applicable Data Protection Laws.

i. Subcontractors. Customer agrees that Candidly may engage Subcontractors in connection with the provision of Services and, upon written request, may receive from Candidly a list of Subcontractors. Candidly will enter into obligations of confidentiality with each Subcontractor containing data protection obligations not less protective than those in this DPA. Except as expressly set forth in the Agreement, Candidly will be liable for the acts and omissions of each Subcontractor to the same extent as if Candidly directly performed the services of such Subcontractor. Customer may object to any new Subcontractors by providing Candidly with written notice within 14 days of learning of a new Subcontractor, and Candidly will take commercially reasonable measures to avoid using such new Subcontractor to Process Customer Personal Data. If Candidly determines that there is no reasonable measure it can take to avoid the Processing of Customer Personal Data by the new Subcontractor, then it will notify Customer and Customer may accordingly terminate the impacted portions of the Order Form(s) by providing Candidly with written notice within 14 days.

j. Remediation. Customer may direct Candidly, upon written notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data and to ensure that Candidly uses Customer Personal Data in a manner consistent with Customer’s obligations under the Data Protection Laws, in accordance with Section 4 herein.

k. Certification of Understanding. Candidly certifies it understands its obligations under this DPA (including without limitation the foregoing restrictions under Section 2) and that it will comply with them.

3. Security

a. Safeguards. As further described on the Security information site, Candidly will maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of Customer Personal Data, including, without limitation, measures designed to prevent or counteract an Incident. Candidly may make changes to its safeguards but will not materially decrease its overall security posture for the Services. Candidly will comply with the Incident-related obligations directly applicable to it under Data Protection Laws and will provide reasonable assistance to Customer in Customer’s compliance with its Incident-related obligations. As long as an Incident is not caused by Customer, Candidly will (i) notify Customer without undue delay in the event it becomes aware of a known Incident resulting from Candidly’s Processing of Customer Personal Data on behalf of Customer; and, to the extent known, (ii) make reasonable efforts to identify the cause(s) and the likely consequences of such Incident; and (iii) take all measures reasonably in its control that it deems necessary to remediate such Incident.

b. Certifications. Candidly maintains multiple industry-standard information security certifications, including, without limitation, SOC-1 and SOC-2. Upon written request, Candidly will provide Customer (or Customer’s third-party auditor to the extent that Candidly determines in its sole discretion that a conflict of interest prevents Candidly from directly providing to Customer) with its then-current SOC-1 and SOC-2 audit reports (the “Audit Reports”). These Audit Reports will be treated by Customer as Candidly’s Confidential Information under the Agreement. Customer will accept these Audit Reports as responsive to any request that Customer might have to audit Candidly’s security systems and procedures, unless and to the extent that a regulator or other governmental authority requests from Customer information about Candidly’s security measures that goes beyond the information contained in the Audit Reports or an in-person audit of Candidly’s security systems. In that event, Candidly will cooperate with Customer to timely provide additional information as requested or, at Customer’s expense and during reasonable business hours, facilitate a third-party audit of Candidly’s systems, subject to the third-party auditor entering into written obligations of confidentiality not less protective than those in this DPA.

c. Access Controls. Candidly will maintain access controls designed to limit unauthorized Processing of Customer Personal Data. Candidly will ensure that personnel granted access to Process Customer Personal Data as part of their role responsibilities are under obligations of confidentiality not less protective than those in this DPA and will provide training to employees Processing Customer Personal Data on the topics of privacy and data security.

4. Return or Destruction of Customer Personal Data

Except to the extent required otherwise by Data Protection Laws, upon termination or expiration of the Agreement and at Customer’s written request, Candidly will return or delete all Customer Personal Data in its possession or control as soon as reasonably practicable. Except to the extent prohibited by Data Protection Laws, Candidly will inform Customer if it is not able to return or delete the Customer Personal Data.

5. Agreement

To the maximum extent permitted under Applicable Law, all terms of the Customer Terms of Service, including, without limitation, all indemnities, disclaimers of warranties, limitations of liability, and other agreements linked or referenced in the Customer Terms of Service, apply to this DPA (collectively, the “Agreement”). In the event of any conflict between the Customer Terms of Service, any Order Form, and this DPA, then this DPA controls.

6. Severability

If any provision in this DPA is held to be invalid or unenforceable, then the other provisions of this DPA shall remain unaffected and in full force and effect and the offending portion of such provisions shall be replaced by a valid, enforceable provision that matches, as closely as possible, the original provision.

7. Survival

The terms of this DPA will survive any expiration or termination of the Agreement for so long as Candidly or its Subcontractors continue to Process Customer Personal Data.


The nature and purpose of the Processing of Customer Personal Data
Candidly will Process Customer Personal Data as necessary to provide the services under the Customer Terms of Service, specifically, provision of student debt and other financial services solutions for Customer’s employees or other constituents.

The types of Customer Personal Data to be Processed and whether this includes sensitive data
Customer’s admins: names, contact and other professional information; Platform users: names, contact information, financial information, identification numbers and other employee census data, benefits and other data associated with employment (including demographic and professional information). Customer Personal Data may include sensitive data regarding racial or ethnic origin.

The categories of Data Subject (natural persons) to whom the Customer Personal Data relates
Customer employees and/or other constituents, which may include contractors, personnel, and employees’ dependents or family members.

Duration of the Processing of Customer Personal Data
Customer Personal Data shall be Processed for the length of time necessary to provide the services under the Customer Terms of Service, or as otherwise required by applicable law.

The obligations and rights of Customer
The obligations and rights of Customer are set out in the Customer Terms of Service and this Addendum.