Data Processing Agreement

Last Modified: 4/14/25

This Shiny Gems Data Processing Agreement (“DPA”) supplements the Shiny Gems Terms of Service, made available at https://shinygems.com/terms-of-service (the “Terms”), and is a part of the Agreement between the entity named as the “Customer” in the Sales Order, on behalf of itself and, for purposes of this DPA, as agent for its Affiliates (“Customer” or “you”), and Newfruit Media, LLC d/b/a Shiny Gems (“Shiny Gems”). This DPA governs the processing by Shiny Gems of Personal Data and, where applicable, Student Data of Customer’s Users when such data is provided or accessed through the Services (collectively, “Restricted Data”). Terms which are not defined herein have the meanings set forth in the Sales Order or the Terms, as applicable. To the extent the terms in this DPA conflict with the Terms, this DPA will govern. 

This DPA consists of two parts - the main body of the DPA and the Schedules. The Schedules apply as described in each Schedule. To the extent the terms in Schedule 3 conflict with the other terms of this DPA, the terms of Schedule 3 shall apply and take precedence with respect to the treatment of Student Data only.

• Schedule 1 – Defined Terms
• Schedule 2 – Data Processing Schedule
• Schedule 3 – U.S. K-12 Addendum

1. Term and Termination. This DPA is effective on the Order Effective Date and shall remain in effect until the Agreement is terminated, or until Shiny Gems deletes all Personal Data and Student Data of Customer’s End Users.

2. Processing of Personal Data.

a. Shiny Gems as Processor for Restricted Data.   In order to provide the Services, Shiny Gems shall process Restricted Data as identified by Shiny Gems in Schedule 2 – Data Processing Schedule. Shiny Gems may amend the Data Processing Schedule in accordance with the Agreement and this DPA. Shiny Gems may delete data elements from the Data Processing Schedule when they are no longer used. Shiny Gems must add data elements to the Dat Processing Schedule when a material change has occurred, regardless of whether the added data elements are used to improve the Services or to deliver additional Services. The parties agree that with regard to the Processing of Restricted Data, Customer is the Controller and Shiny Gems is the Processor. The objective of Processing of Restricted Data by Shiny Gems as Processor is the performance of the Services pursuant to the Agreement. Shiny Gems shall only Process Restricted Data on behalf of and in accordance with the Agreement and Customer’s written instructions unless required to do so by Law to which Shiny Gems is subject; in such case Shiny Gems shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification. Shiny Gems shall comply with applicable Privacy Laws. As between Shiny Gems and Customer, Customer retains all ownership of Restricted Data. Shiny Gems acknowledges and agrees that all copies of Restricted Data Processed by Shiny Gems, including any modifications or additions to any portion thereof from any source, are also subject to the provisions of this DPA in the same manner as the original Restricted Data.

b. Customer Instructions.  Customer instructs Shiny Gems to Process Restricted Data for the following purposes: (a) Processing in accordance with the Agreement and applicable Privacy Laws; and (b) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and applicable Privacy Laws. Shiny Gems shall promptly notify Customer in the event Shiny Gems determines that it cannot comply with any Customer instructions because Shiny Gems believes such instructions violate applicable Privacy Laws. If Shiny Gems determines that it can no longer comply with applicable Privacy Laws, Shiny Gems will promptly notify Customer.

c. Consents for the Processing of Restricted Data.  Customer represents and warrants that it has the authority to provide Restricted Data to Shiny Gems, and for Shiny Gems to Process Student Data as set forth in this DPA and the Agreement, for the purpose of providing the Services. Customer represents, warrants, and covenants that it has complied with all applicable Privacy Laws (which, with respect to Customer, may include the Federal Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232(g), the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6502; and the Protection of Pupil Rights Amendment (“PPRA”), 20 U.S.C. 1232), including without limitation providing all notices and disclosures and obtaining all consents and rights necessary under applicable Privacy Laws for Shiny Gems to Process any Restricted Data in its’s provision of the Services. Without limiting the generality of the foregoing, and to the extent applicable to the Services provided under the Agreement, Customer represents and warrants that it has provided appropriate disclosures to, and received appropriate consents from, parents or guardians of students. In the event Customer determines that the foregoing representation, warranty and covenant is untrue with respect to any Restricted Data, Customer will promptly notify Company. 

d. No Sale.  Shiny Gems shall not Sell, or share for targeted advertising purposes, Restricted Data except as expressly instructed by Customer. Shiny Gems shall not combine Restricted Data with other Personal Data or Student Data except as permitted under applicable Privacy Laws. Shiny Gems shall not collect, retain, use, or otherwise disclose Restricted Data outside of the direct business relationship with Customer, and shall only Process Restricted Data for limited and specified purposes consistent with this DPA and the Agreement.

e. Customer Obligations.  Customer shall, in its use or receipt of the Services, Process Restricted Data in accordance with applicable Privacy Laws and Customer will ensure that its instructions for the Processing of Restricted Data comply with applicable Privacy Laws. Customer shall employ administrative, physical, and technical safeguards designed to protect  Customer shall have sole responsibility for the means by which Customer obtained the Restricted Data and for fulfilling all requirements under applicable Privacy Laws necessary to make the Restricted Data available to Shiny Gems for Processing as provided herein and under the Agreement. Customer shall notify Shiny Gems promptly of any known unauthorized access to the Services. Customer will assist Shiny Gems in any efforts by Shiny Gems to investigate and respond to any unauthorized access to the Services.

3. Assistance to Customer and Data Subject Rights.

a. Data Subject Requests. Shiny Gems shall to the extent legally permitted, promptly notify Customer if it receives a Data Subject Request. Shiny Gens shall not respond to any Data Subject Request relating to Restricted Data without Customer’s prior written consent except to confirm that the request relates to Customer or as otherwise required by applicable Privacy Laws. Shiny Gems shall provide Customer with commercially reasonable assistance in handling a Data Subject Request, to the extent (a) legally permitted, and (b) Customer does not have access to such Restricted Data through its use or receipt of the Services, taking into account the nature of the Processing of Restricted Data and the information available to Shiny Gems.

b. Cooperation. Shiny Gems shall, upon written notice, use reasonable efforts to permit Customer to take reasonable and appropriate steps to (i) stop and remediate unauthorized processing of Restricted Data upon notice of same, and (ii) ensure that Shiny Gems Processes Restricted Data in a manner consistent with Customer’s obligations under applicable Privacy Laws.

4. Shiny Gems Personnel.  Shiny Gems shall use commercially reasonable efforts to ensure that its employees engaged in the Processing of Restricted Data are subject to either contractual or statutory obligations of confidentiality, and that access to Restricted Data is limited to those employees who require such access to perform the Services. Shiny Gems shall ensure that its personnel engaged in the Processing of Restricted Data are informed of the confidential nature of the Restricted Data and have received appropriate training on their responsibilities. As required by applicable Privacy Laws, Shiny Gems shall ensure that its employees have gone through appropriate back-ground checks prior to accessing Restricted Data. Shiny Gems shall take commercially reasonably steps to ensure the reliability of any Shiny Gems personnel engaged in the Processing of Restricted Data.

5. Sub-processors.

a. Transfer of Restricted Data. Except as permitted in this DPA or the Agreement, Shiny Gems shall not transfer or otherwise make available Restricted Data to any third-party without Customer's prior written authorization.

b. Use of Sub-processors Authorized. Customer gives its general authorization to Shiny Gems to use Sub-processors (including Affiliates of Shiny Gems) in connection with the provision of the Services provided that; (a) Shiny Gems shall ensure that obligations not materially less protective than those set out in this DPA are imposed on its Sub-processors; (b) Shiny Gems shall be liable for any act or omission of its Sub-processors that, if made by Shiny Gems, would be a breach or violation of this DPA or the Agreement; and (c) Shiny Gems shall provide the list of its Sub-processors either upon request, or by giving a link to a website where the information about the Sub-processors is kept up-to-date. Without limiting the generality of the foregoing, each Sub-processor agreement must provide that the Sub-processor will not Sell Student Data and that the Sub-processor agreement shall not be materially modified by the Sub-processor unless notice is provided to Shiny Gems.

6. Data Location.Customer acknowledges and agrees that Shiny Gems may Process Restricted Data in various data centers around the world, including in the U.S., and that Restricted Data may not be Processed only within the country in which it was collected. Please see the Data Processing Schedule for a list of all countries outside the U.S. in which Restricted Data may be Processed.

7. Security; Audits.

a. Security.  Shiny Gems shall maintain appropriate administrative, technical and organizational measures designed to protect the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Restricted Data), confidentiality, and integrity of Restricted Data as set forth in the Shiny Gems security documentation. Shiny Gems regularly monitors compliance with these measures. Shiny Gems will not materially decrease the overall security of the Services during the term of the Agreement.

b. Security Audits. Shiny Gems will conduct a security audit or assessment no less than once per year, and upon a Data Breach. Upon 10 days’ notice and execution of confidentiality agreement, Shiny Gems will provide Customer with a copy of the audit report, subject to reasonable and appropriate redaction.

8. Restrictions on Receipt of Information.  Nothing under this DPA shall require Shiny Gems to disclose (a) any data or information of any other customer of Shiny Gems, or any third party not directly involved in the provision of the Services; (b) any confidential accounting or financial information; (c) any trade secret of Shiny Gems; or (d) any information that, in Shiny Gems’ reasonable opinion could (i) compromise the security of Shiny Gems’ networks, systems, or premises, (ii) cause Shiny Gems to breach its security or privacy obligations to any third party, or (iii) any information sought for any reason other than the reasons outlined in this DPA. Shiny Gems may require Customer’s agreement to reasonable terms and conditions prior to providing audit reports under this DPA.

9. Security Breach Management and Notification.  In the event of a Security Breach, Shiny Gems shall; (a) notify Customer of the Security Breach without undue delay after becoming aware of the Security Breach (within seventy-two (72) hours if such Security Breach involves Student Data) and such notification shall include at least the information required by the applicable Privacy Laws; (b) investigate the Security Breach and provide Customer with information about the Security Breach; (c) take commercially reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach, and to allow Customer to take reasonable and appropriate steps to do the same to the extent such steps are within Customer’s control; and (d) comply with Shiny Gems’ responsibilities under all Laws applicable to Shiny Gems with respect to Security Breaches involving Student Data. Shiny Gems shall reasonably cooperate with Customer and with any third parties designated by Customer to respond to the Security Breach. Shiny Gems shall implement and maintain a security incident response plan that is consistent with generally accepted industry standards in Shiny Gems’ industry and all applicable Laws. Shiny Gems shall make an executive summary of such plan available to Customer upon Customer’s written request. If a Security Breach triggers any third party notice requirements under applicable Laws, Customer, as the owner of the Restricted Data, will be responsible for the timing, content, cost and method of any such notice and compliance with such Laws.

10. De-Identified Data:  De-Identified Data may be used by the Shiny Gems for those purposes allowed under applicable Privacy Law and the following purposes: (a) assisting the Customer or governmental agencies in conducting research and other studies; and (b) research and development of Shiny Gems’ educational sites, services, or applications, and to demonstrate or improve the effectiveness of the Services; and (c) for adaptive learning purposes and for customized student learning. Shiny Gems’ use of De-Identified Data shall survive termination of this DPA or any request by Customer to return or destroy Restricted Data. Shiny Gems agrees (i) not to attempt to re-identify De-Identified Data, and (ii) not to transfer De-Identified Data to any party unless that party agrees in writing not to attempt re-identification.

11. Government Access Requests.  If Shiny Gems receives a legally binding request to access Restricted Data from a public authority, Shiny Gems shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. Shiny Gems agrees to provide the minimum amount of information permissible when responding to a public authority request for disclosure based on a reasonable interpretation of the request. Unless prohibited by Law, Shiny Gems shall promptly notify Customer if Shiny Gems becomes aware of any direct access by a public authority to Restricted Data. This DPA shall not require Shiny Gems to pursue action or inaction that could result in civil or criminal penalty for Shiny Gems, such as contempt of court. Shiny Gems shall reasonably cooperate with Customer to the extent necessary for Customer to respond to a judicial order or lawfully issued subpoena to disclose Student Data. 

12. Severance.  If any provision of this DPA is determined to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.

13. Legal Effect.  This DPA shall only become legally binding between the Customer and Shiny Gems when both parties have executed a Sales Order.

14. Limitation of Liability.  To the extent permitted by applicable Privacy Laws, Customer’s remedies with respect to any breach by Shiny Gems or its Affiliates of the terms of this DPA or Privacy Laws will be subject to any aggregate limitation of liability that applies to Shiny Gems and/or Customer under the Agreement.

Schedule 1

Defined Terms

1. “Affiliate” means any entity that controls, is controlled by, or is in common control with a party.

2. “Change of Control” means a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data and Student Data held by us about our Users is among the assets transferred. 

3. “Controller” means the entity which determines the purposes and means of the Processing of Restricted Data.

4. “Data Subject” means an individual whose Personal Data is being processed by Shiny Gems under the Agreement.

5. “Data Subject Request” means a request from or behalf of a Data Subject to exercise the Data Subject’s rights under applicable Privacy Laws.

6. “De-Identified Data” means data and information where all Personal Data has been removed or obscured, such that the remaining information does not reasonably identify a specific individual, including any information that, alone or in combination, is linkable to a specific Data Subject.

7. “Processing” means any operation or set of operations which is performed upon Restricted Data, whether or not by automatic means, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction. “Process,” “Processes,” and “Processed” shall have correlative meanings.

8. “Processor” means the entity which Processes Restricted Data on behalf of a Controller.

9. “Security Breach” means a confirmed breach of security that has resulted in the unauthorized disclosure, alteration, irrecoverable loss, or irrecoverable destruction of, or access to, Restricted Data Processed by Shiny Gems.

10. “Sell,” “Selling,” “Sale,” and “Sold” shall have the meaning given such terms under the applicable Privacy Laws.

11. “Targeted Advertising” means presenting an advertisement to a Participant User where the selection of the advertisement is based on Student Data or inferred over time from behavioral data collected about such Participant User, but Targeted Advertising does not include advertisements based upon a current visit to the Site that occurs without the collection and retention of data about the User’s online activities over time.

Schedule 2

Data Processing Schedule

This Data Processing Schedule identifies the data elements that are Processed by the Services. It is divided into those data elements that are required and those data elements that are optional.

The data elements that are required for Processing by the Services are:

· IP Address of User

· Use of cookies and other tracking technologies (as set forth in the Shiny Gems Privacy Policy)

· Meta data regarding User interaction with Services

· Online communications captured (such as email)

· Specific curriculum assigned to the Participant User

· Progress through the curriculum

· Organization that has purchased the Subscription used by the Participant User

· Student name (first and last), address, and email

· Parent/Guardian name (first and last), address, email, and phone number

· Teacher name(s)

· Shiny Gems’ assigned User ID number, username, and password

· Participant User grade level and age

The data elements that are optional for Processing by the Services are:

· Responses to prompts in lessons and quizzes, notes, survey responses, goals, and free-text fields

Schedule 3

U.S. K-12 Addendum

This Schedule 3 applies to Customers that are classified as U.S. based LEAs, and supplements the DPA to which it is attached.

1. Purpose and Scope. The purpose of this Schedule 3 is to describe the duties and responsibilities to protect Student Data transmitted to Shiny Gems from Customer pursuant to the Agreement, including, to the extent applicable, compliance with the Federal Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232(g), the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6502; the Protection of Pupil Rights Amendment (“PPRA”), 20 U.S.C. 1232, and other applicable Privacy Laws. In performing the Services, Shiny Gems shall be considered a School Official with a legitimate educational interest, and performing Services otherwise provided by the LEA. With respect to its Processing of Student Data, Shiny Gems shall be under the direct control and supervision of the LEA as set forth in this Schedule, the DPA, and the Agreement.

2. Student Data. Customer authorizes Shiny Gems to collect, use, process and share Student Data for the purposes provided under this Addendum. Shiny Gems shall access and process Student Data for the purposes of providing an outsourced institutional function pursuant to FERPA 34 CFR Part 99.31(a)(1). We rely on each school to obtain and provide appropriate consent and disclosures, if necessary, for Shiny Gems to collect any Student Data, including the collection of Student Data directly from students under 13, as permitted under COPPA.

3. Parent, Legal Guardian, and Student Access. 

a. The LEA shall establish reasonable procedures by which a parent, legal guardian, or eligible student (as defined in FERPA) may review Student Data and request deletion or modification, and request delivery of a copy of the Student Dat. In support of this, Shiny Gems shall establish reasonable procedures by which the LEA may access and correct, if necessary, Education Records and/or Student Data, and make a copy of the data available to the LEA or (at the LEA’s direction) to the parent, legal guardian or eligible student directly. If the LEA is not able to review or update Student Data itself through the Services, Shiny Gems shall respond in a reasonably timely manner to the LEA’s request for Student Data held by Shiny Gems.

b. In the event that a parent or legal guardian of a student or eligible student contacts Shiny Gems to correct, delete, review or request delivery of a copy of any Student Data processed by Shiny Gems, Shiny Gems shall refer that person to the LEA, who will follow the necessary and proper procedures regarding the requested information. Except as provided in Section 11 of the DPA, in the event that any person other than a parent, legal guardian, eligible student, or Institution User contacts Shiny Gems about any Student Data, Shiny Gems shall refer that person to the LEA.

c. This DPA does not restrict Provider from providing a mechanism for Participant Users to download, export, or otherwise save or maintain their own Customer-Provided Data or User Generated Content or from providing a mechanism for a Guardian User or LEA to download, export, or otherwise save or maintain such Customer Data. Once Customer-Provided Data or User Generated Content has been downloaded, exported, or otherwise transferred to the control of a User or LEA, the copy of such Customer Data that is in control of such person is no longer considered Student Data subject to this DPA.

4. Annual Notification of Rights. If the LEA has a policy of disclosing Education Records and/or Student Data under FERPA, LEA shall include a specification of criteria for determining who constitutes a School Official and what constitutes a legitimate educational interest in its annual notification of rights.

5. Confidentiality. Shiny Gems agrees to treat Student Data as confidential and not to Sell it or share it with third parties other than as described in the Agreement. The foregoing restrictions shall not apply to:

a. Student Data where disclosure is directed or permitted by the LEA of this DPA;

b. Any sale or transfer to a buyer or other successor-in-interest in a Change of Control;

c. Student Data disclosed pursuant to a judicial order or lawfully issued subpoena or warrant; provided that Shiny Gems shall notify the LEA in advance of a compelled disclosure, unless such notification is prohibited by the request;

d. Student Data disclosed to Sub-processors performing services to Shiny Gems in support of the Services;

e. Any disclosure or sharing of Student Data necessary to protect the safety of Users or others, if and only if, an LEA employee who has specifically been authorized to declare a health or safety emergency has done so and all requirements under 34 CFR §§ 99.31(a)(10) and 99.36 have been fulfilled by the LEA.

f. Any disclosure or sharing of Student Data necessary to protect the integrity or security of the Services, where such disclosure is made to a Sub-processor engaged by Shiny Gems for the specific purpose of investigating a potential Security Breach.

6. Restrictions on Use of Student Data. Shiny Gems may Process Student Data solely for performing the Services, as instructed by the LEA, or as expressly authorized by the LEA or the applicable Guardian User. For clarity and without limitation, Institution Users of Customer who access the Services pursuant to the Agreement shall not be “third parties” for the purpose of this Section. Shiny Gems shall not use Student Data to engage in targeted advertising.

7. De-Identified Data. Except for Sub-processors, Shiny Gems agrees not to transfer De-Identified Data derived from Student Data to any third party unless the transfer is expressly directed or permitted by the LEA or this DPA. Such Sub-processors must be subject to equivalent terms of the DPA, including this one. Prior to publishing any document that names LEA as a source of any De-Identified Data derived from Student Data, Shiny Gems shall obtain the LEA’s written approval of the manner in which such De-identified Data is presented. If Shiny Gems chooses to create De-Identified Data from Student Data, it must comply with either NIST de-identification standards or US Department of Education guidance on de-identification.

8. Shiny Gems Employee Obligations. Shiny Gems shall require all of its employees who have access to Student Data to comply with all applicable provisions of the DPA with respect to the Student Data. Shiny Gems agrees to require and maintain an appropriate confidentiality agreement from each employee with access to Student Data.

9. Security Breach Notification Requirements. With respect to any Security Breach involving Student Data, unless otherwise prohibited by Law or law enforcement authorities, the notice provided by Shiny Gems to the LEA shall include, at a minimum, the following information to the extent known by Shiny Gems and as it becomes available:

a. The name and contact information of Shiny Gems;

b. The date of the notice;

c. The date of the Security Breach, which may be an estimated date or date range;

d. Whether the notification was delayed as a result of any investigation by a governmental authority;

e. A general description of the nature of the Security Breach;

f. A description of the Student Data that was affected by the Security Breach; and

g. Identification of the impacted individuals.

10. Disposition of Data.

a. Upon written request from the LEA, Shiny Gems shall dispose of or provide a mechanism for the LEA to transfer Student Data within 60 days of the date of said request and according to a schedule and procedure as the parties may reasonably agree. If Shiny Gems has a standard retention and destruction schedule, that schedule shall apply to Student Data as long as this DPA is active. Shiny Gems’ practice relating to retention and disposition of Student Data shall be provided to the LEA upon request.

b. At the termination of this DPA, Shiny Gems shall, unless otherwise directed by the LEA, dispose of, or delete, Student Data in the possession or control of Shiny Gems within sixty (60) days of termination (unless otherwise required by Law). If the Agreement has lapsed or is not terminated, Shiny Gems shall dispose of, or delete, Student Data when directed or permitted by the LEA, according to Shiny Gems’ standard destruction schedule, or as otherwise required by Law. The foregoing shall not apply to De-Identified Data.

11. Advertising Limits. Shiny Gems shall not Process Student Data for purposes of Targeted Advertising or to develop a profile of any End User (except for purposes of providing the Services). This Schedule does not prohibit Shiny Gems from using Student Data (a) for adaptive learning or customized student learning, (b) to make product recommendations to Users, so long as such recommendation are not Targeted Advertising and only for Users where Shiny Gems is not relying on the LEA to provide consent on behalf of a parent/guardian under COPPA, or (c) to notify Users about new education product updates, features, or Services, so long as such notification are not considered Targeted Advertising. Notwithstanding the foregoing, before providing any product recommendations under clause (b) above, Shiny Gems must notify the LEA in writing of such recommendations so that the LEA can fulfill any obligations under applicable Law.

12. Governmental Audits. At the direction of the LEA, Shiny Gems shall cooperate with any state or federal government-initiated audit of the LEA’s use of the Services.

13. Updates to Data Processing Schedule. Shiny Gems must notify the LEA, in accordance with the notification provisions of the Agreement, of the existence and contents of any updated Data Processing Schedule. The LEA will have thirty (30) days from the receipt of such notice to object to the amendments. If no written objection is received, the amendment will become incorporated into the DPA between the parties.