This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Agreement between Focuslabs LLC (together with its Affiliates, “Focuslabs”) and the customer entity that is a party to the Agreement as a user of our services (“Customer”).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).
1. Definitions
"Additional Data Protection Laws" means US Data Protection Laws; the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended ("Australian Privacy Law").
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Focuslabs.
“Agreement” means Focuslabs’ Terms of Use or other written or electronic agreement that governs the provision of the Service to the Customer, as may be updated from time to time.
“Control” means ownership or control, directly or indirectly, of more than 50% of the voting interests of the subject entity.
“Customer Data” means any personal data that Focuslabs processes on behalf of Customer through the Service, including but not limited to data from users of Focuslabs mobile learning apps or the Focus Posts platform.
"Data Privacy Framework" refers to the EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, and UK Extension, as maintained by the U.S. Department of Commerce.
“Data Protection Laws” means all applicable data protection laws and regulations including, where applicable, European Data Protection Laws and Additional Non-European Data Protection Laws.
“European Data Protection Laws” includes:
GDPR (EU Regulation 2016/679),
ePrivacy Directive (2002/58/EC),
UK Data Protection Act 2018 and UK GDPR,
Swiss Federal Data Protection Act (1992 and its successor).
“Europe” means the EEA, UK, and Switzerland.
“Focuslabs Group” means Focuslabs LLC and its Affiliates.
“SCCs” refers to the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data processed by Focuslabs.
“Sensitive Data” includes data such as social security numbers, full payment card data, health records, racial or ethnic origin, political opinions, religious beliefs, or other special categories of data as defined under applicable laws.
“Service” means the suite of services offered by Focuslabs including mobile learning applications and the Focus Posts SaaS platform, as described in the Agreement.
“Sub-processor” means any third party engaged by Focuslabs or its Affiliates to assist in processing Customer Data on behalf of the Customer.
"UK Addendum" refers to the UK’s International Data Transfer Addendum to the SCCs.
“US Data Protection Laws” includes relevant U.S. federal, state, and local laws such as the California Consumer Privacy Act (CCPA) and its amendments.
Terms like “personal data,” “controller,” “processor,” “data subject,” and “processing” shall have the meanings defined under applicable Data Protection Laws.
2. Roles and Responsibilities
2.1 Parties’ Roles
For the purposes described in this DPA, the parties agree that with respect to Customer Data, Focuslabs acts as a Processor on behalf of the Customer, who may act either as a Controller or a Processor on behalf of a third-party Controller. This DPA does not apply where Focuslabs is the Controller of Customer Data unless explicitly stated in a jurisdiction-specific addendum or annex.
2.2 Purpose Limitation
Focuslabs shall only process Customer Data as described in Annex A (Details of Processing), and strictly in accordance with the Customer’s documented lawful instructions, as necessary for the provision of the Service, compliance with legal obligations, or as otherwise agreed in writing (the “Permitted Purposes”). The Agreement, this DPA, and Customer’s configuration of the Services together constitute the Customer’s complete and final instructions to Focuslabs regarding the processing of Customer Data.
2.3 Prohibited Data
Customer agrees not to provide any Sensitive Data (as defined above) to Focuslabs. Focuslabs disclaims all liability for processing Sensitive Data, including in connection with any Security Incident.
2.4 Customer Compliance
Customer represents and warrants that:
It has complied, and will continue to comply, with all applicable Data Protection Laws in collecting and transferring Customer Data to Focuslabs.
It has obtained all necessary consents, rights, and notices for Focuslabs to process Customer Data for the Permitted Purposes.
It is solely responsible for the accuracy, legality, and integrity of Customer Data and how it was collected.
2.5 Lawfulness of Instructions
Customer will ensure that its instructions for the processing of Customer Data do not violate any applicable law. Focuslabs will inform the Customer if it becomes aware that an instruction may conflict with Data Protection Laws, unless prohibited from doing so. If Customer is acting as a Processor, it warrants that its instructions and Sub-processor authorizations are approved by the applicable Controller.
3. Sub-processing
3.1 Authorized Sub-processors
Customer authorizes Focuslabs and its Affiliates to engage Sub-processors to help fulfill its obligations under this DPA and the Agreement. A list of current Sub-processors (e.g., Firebase, OpenAI, Stripe) is maintained by Focuslabs and will be made available upon request.
Focuslabs will notify the Customer of any new Sub-processor at least 10 days in advance of engaging them, provided the Customer has opted into such notifications.
3.2 Sub-processor Obligations
Focuslabs will ensure that:
Each Sub-processor is bound by a written agreement with data protection terms no less protective than those in this DPA.
Focuslabs remains responsible for each Sub-processor’s compliance with its obligations and any acts or omissions that cause a breach.
Customer acknowledges that Focuslabs may not be able to disclose the full content of Sub-processor contracts due to confidentiality but will provide summaries or essential information upon request.
4. Security
4.1 Security Measures
Focuslabs will implement and maintain appropriate technical and organizational measures to protect Customer Data from unauthorized access, disclosure, alteration, or destruction. These are further detailed in Annex B (Security Measures).
4.2 Confidentiality of Processing
Focuslabs ensures that all personnel authorized to process Customer Data are bound by confidentiality obligations—either contractual or statutory—and trained in relevant data protection practices.
4.3 Updates to Security Measures
Focuslabs may update its security practices from time to time to reflect evolving best practices, but will not reduce the overall level of protection for Customer Data during the term of the Agreement.
4.4 Security Incident Response
Upon discovering a Security Incident, Focuslabs will:
Notify Customer without undue delay.
Provide reasonable cooperation and information to support Customer’s investigation.
Take appropriate steps to mitigate and remediate the issue under its control.
Notification will be sent to the contact listed in the Agreement. It is the Customer’s responsibility to maintain accurate contact information.
4.5 Customer Responsibilities
Customer is responsible for securing its login credentials, protecting Customer Data during transmission to and from the Service, and backing up any Customer Data stored outside the platform (where applicable).
5. Security Reports and Audits
5.1 Audit Rights
Focuslabs will provide documentation and other evidence necessary to demonstrate compliance with this DPA. Customer agrees that it will exercise any audit rights through the measures outlined in Sections 5.2 and 5.3.
5.2 Security Reports
Focuslabs undergoes internal and third-party security assessments. Upon written request, Focuslabs will share summaries of its most recent audits or certifications (such as SOC 2 or ISO 27001), subject to a non-disclosure agreement.
5.3 Security Due Diligence
In addition to reports, Focuslabs will reasonably respond to written requests for information about its security practices, not more than once annually, unless required by law or in response to a verified security breach.
6. International Transfers
6.1 Data Center Locations
Customer acknowledges that Focuslabs may transfer and process Customer Data in the United States or other jurisdictions where Focuslabs, its Affiliates, or authorized Sub-processors maintain operations. Focuslabs will ensure that such transfers comply with applicable Data Protection Laws and this DPA.
6.2 Australian Data
Where Focuslabs receives Customer Data protected under the Australian Privacy Law, such data may be transferred outside Australia as permitted by law. Focuslabs agrees to comply with applicable provisions of the Australian Privacy Law and this DPA.
6.3 European Data Transfers
Where Focuslabs processes Customer Data protected by European Data Protection Laws in a jurisdiction not recognized as adequate, the following terms apply:
(a) Data Privacy Framework: Focuslabs may rely on self-certification to the EU-U.S. Data Privacy Framework (DPF) where applicable, ensuring alignment with DPF Principles.
(b) Standard Contractual Clauses (SCCs): If DPF does not apply or becomes invalid, the 2021 SCCs (Controller-to-Processor or Processor-to-Processor, as applicable) will automatically apply and be incorporated into this DPA.
(c) UK Transfers: Where UK Data Protection Laws apply, the UK Addendum shall supplement the SCCs and be deemed executed by both parties.
(d) Swiss Transfers: Where the Swiss DPA applies, the SCCs will be adjusted accordingly.
6.4 Compliance with SCCs
If Focuslabs cannot comply with its SCC obligations, it will promptly notify Customer. Customer may pause transfers or terminate affected services only after providing reasonable time for Focuslabs to resolve the issue.
6.5 Alternative Transfer Mechanisms
If Focuslabs adopts a new lawful mechanism for international data transfer, that mechanism will apply instead of the SCCs, provided it meets the requirements of applicable European Data Protection Laws.
7. Return or Deletion of Data
Upon termination of the Agreement, Focuslabs shall provide Customer with tools to either delete or export all Customer Data. Any retained data (e.g., backups or logs) will be securely isolated and eventually deleted in accordance with Focuslabs’ data retention policies, except where legally required to retain it.
Certification of deletion will be provided upon Customer’s written request.
8. Data Subject Rights and Cooperation
8.1 Data Subject Requests
Focuslabs provides self-service features to allow Customers to manage personal data. Focuslabs will assist, to the extent reasonably possible, in handling data subject requests and will redirect data subjects to the Customer unless legally required to respond.
8.2 Data Protection Impact Assessments
Focuslabs will provide information to assist the Customer with impact assessments or regulatory consultations when required under law. Additional assistance may be billed if it exceeds standard obligations.
9. Jurisdiction-Specific Terms
Where Customer Data is subject to specific data laws based on region, the applicable Annex C terms shall govern. In case of conflict between Annex C and this DPA, Annex C prevails only for data originating in the relevant jurisdiction.
10. Limitation of Liability
10.1 Aggregate Liability
Each party’s liability under this DPA and the SCCs is subject to the limitations set forth in the Agreement.
10.2 Claims
Only the Customer (not its Affiliates or end users) may bring claims against Focuslabs under this DPA.
10.3 Data Protection Rights
No party may limit its liability with respect to any data subject’s personal data rights under this DPA.
11. Relationship with the Agreement
This DPA remains effective as long as Focuslabs processes Customer Data or until the Agreement terminates. It replaces any prior data processing terms. In case of conflict: SCCs > DPA > Agreement. This DPA follows the governing law set forth in the Agreement unless otherwise required by applicable law.
Annex A – Details of Data Processing
(a) Categories of Data Subjects:
- Learners and app users of Focuslabs mobile learning apps.
- Business users of the Focus Posts platform.
- End users whose data is shared or managed through social media scheduling, analytics, or other features.
(b) Categories of Personal Data:
Learning apps: Name, email, phone, device data, quiz results, study planner.
Focus Posts: Social usernames, post data, team members, billing info.
(c) Sensitive Data:
Not intentionally collected.
(d) Frequency of Processing:
Continuous.
(e) Subject Matter:
Hosting, analytics, scheduling, reporting.
(f) Purpose:
To deliver Services and comply with applicable laws.
(g) Duration:
As long as necessary per Section 7.
Annex B – Security Measures
- Access Controls, MFA, limited admin privileges
- TLS & AES-256 encryption
- Firewalls, DDOS protection, secure endpoints
- Real-time monitoring, alerts
- Staff training & NDA enforcement
- Daily encrypted backups and geo-redundancy
- Third-party pen-testing and regular audits
Annex C – Jurisdiction-Specific Terms
Europe: Sub-processor objections allowed; access request notifications required unless prohibited.
California: No sale/share of data; data used only for agreed purposes; compliance with CCPA/CPRA.
Canada: Sub-processors bound to PIPEDA-compliant terms. Data transfers made with protections.