Data Processing Addendum

This data processing addendum (the “DPA”) is incorporated into and supplements the User Agreement between you (“you” or “your”) and Collective Brains, Inc. (“Collective Brains,” “us,” “we,” or “our”) when Applicable Data Protection Laws apply to the Processing of your Personal Data. Capitalized terms that are used but not defined in this DPA will have the meanings given to them in the User Agreement or the Applicable Data Protection Laws. This DPA includes any appendices attached to it and the Standard Contractual Clauses (where applicable, and as defined in this DPA).

In the event of a conflict between the terms of the User Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses and/or the UK SCC Addendum (if applicable), the terms of the EU Standard Contractual Clauses and/or the UK SCC Addendum (if applicable) shall control.

Collective Brains may update the terms of this DPA from time to time, at its sole discretion, provided Collective Brains gives you advanced notice of the update. Any additional amendments, changes, or alterations of this Agreement will be made in writing and duly signed by both Parties in order to become valid and effective.

    • “Applicable Data Protection Laws” means all data protection laws and regulations applicable to the processing of Personal Data, including without limitation, the EU Data Protection Law.
    • “Applicable Law” means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party, including Applicable Data Protection Laws.
    • “Approved Subprocessors” means those Subprocessors identified on Exhibit 1, which includes the identities of Subprocessors, their country of location, and their anticipated Processing tasks and as otherwise approved pursuant to the terms of this DPA.
    • “CCPA” means California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.
    • “Controller” has the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.
    • “EEA” means the European Economic Area, with members states of the European Union, Norway, Iceland, and Liechtenstein.
    • “EU Data Protection Law” means all data protection laws and regulations applicable to the European Union, the European Economic Area, Switzerland, and the United Kingdom, including (i) the GDPR, (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national legislation implementing the GDPR and Directive 2002/58/EC; and (iv) with respect to the UK, any applicable national legislation that replaces the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
    • “GDPR” means General Data Protection Regulation, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as implemented by local law in the relevant EEA member nation.
    • “Personal Data” has the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.
    • “Platform” has that meaning given to it in the User Agreement.
    • “Processor” has the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.
    • “Process,” “Processed,” “Processes” or “Processing” have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.
    • “Report” means audit reports prepared by an independent third party on behalf of Collective Brains according to the standards defined in the Security Policy.
    • “Security Policy” has that meaning given to it in Section 7.1.
    • “Security Incident” means, as applicable, a (i) breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data transmitted, stored, or otherwise processed or (ii) a Personal Data Breach, as defined in Article 4 of the GDPR.
    • “Sensitive Data” means (i) social security number, passport number, driver’s license number, or similar identifier (or portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, genetic, biometric, or health information; (iv) racial, ethnic, political, or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (v) account passwords; or (vi) other information that falls within the definition of “special categories of data” under Applicable Data Protection Laws.
    • “SCCs” or “Standard Contractual Clauses,” means the Controller-to-Processor Clauses and Controller-to-Controller Clauses approved by the European Commission implementing Decision 2021/914 of 4 June 2021, as may be amended from time to time by the European Commission.
    • “Subprocessor” means any entity engaged by Collective Brains to provide processing services as part of Collective Brains’ processing of Personal Data.
    • “UK” mean United Kingdom.
    • “UK GDPR” means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the United Kingdom.
    • “UK Addendum” means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.

The terms “personal data” and “data subject” have the meanings given to them under the Applicable Data Protection Laws or, if not defined thereunder, the GDPR.

  1. Roles and Relationships.
    • Controller. For purposes of this DPA, you are the Controller of the Personal Data Processed by Collective Brains acting on your behalf with respect to your Personal Data. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to Collective Brains in order to provide the Platform, including without limitation obtaining any consents, providing any notices, or otherwise establishing the required legal basis. Unless specified in the User Agreement, you will not provide Collective Brains with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit Collective Brains’ access to Personal Data to only that necessary to perform its obligations under the Agreement.
    • Processor. Collective Brains is the Processor and service provider with respect to your Personal Data, except when You act as a Processor of Personal Data, in which case Collective Brains is the Subprocessor. Collective Brains is responsible for complying with its obligations under Applicable Data Protection Laws that apply to Collective Brains’ Processing of Personal Data under the Agreement.
    • CCPA. To the extent the CCPA applies, the Parties acknowledge and agree that Collective Brains is a service provider and is receiving Personal Data from you to provide the Platform as agreed in the Agreement, which constitutes a business purpose. Collective Brains will not sell any Personal Data provided by you under the Agreement.
  2. Your Obligations.
    • Compliance with Applicable Laws. You will (a) comply with all applicable laws, including but not limited to Applicable Data Protection Laws, (b) ensure that you have and will continue to have the right to transfer or provide access to your Personal Data for processing in accordance with the Agreement, and (c) be solely responsible for the accuracy, quality, and legality of your Personal Data and the means by which you acquired your Personal Data.
    • Your Instructions. You appoint Collective Brains to process your Personal Data on you behalf in accordance with your documented instructions (a) as such are set forth in the Agreement; (b) as necessary to comply with applicable law; and (c) as otherwise agreed by the parties in writing. The parties agree that the User Agreement and this DPA constitute your documented instructions to Collective Brains regarding the processing of your Personal Data, and any processing outside the scope of these instructions shall require prior written agreement between the parties. You will ensure your documented instructions relating to Collective Brains’ processing of your Personal Data will not cause Collective Brains to violate any applicable laws.
    • Sensitive Data Prohibition. You acknowledge that the Platform is not intended for Processing Sensitive Data and agree you will not provide (or cause to be provided) any Sensitive Data to Collective Brains for Processing. Collective Brains will have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise. The protections and obligations related to Personal Data under this DPA do not apply to Sensitive Data. If you upload or transfer any Sensitive Data to the Platform, you will immediately delete such information. If you are an entity, you will communicate this prohibition to your users as appropriate and applicable.
  3. Collective Brains’ Obligations.
    • Purpose. Collective Brains and any persons acting under its authority under this DPA, including Subprocessors, will Process Personal Data only for the purposes of marketing the provision of and providing the Platform, and will do so solely in accordance with your written instructions as set forth in Section 3.
    • Notification. Collective Brains will notify you if we become aware of or reasonably believe that a documented instruction from you does not comply with Applicable Data Protection Laws.
    • Confidentiality. Collective Brains will ensure its employees, authorized agents, and Approved Subprocessors have agreed to process your Personal Data have agreed to comply with confidentiality obligations to protect your Personal Data and other data provided by you. Notwithstanding the following, Collective Brains may aggregate your information, including Personal Data, as part of the Platform in order to provide, secure, and enhance Collective Brains’ products and Platform, provided such aggregate information shall not disclose its source.
    • Assistance. Collective Brains will, taking into account the nature of the processing and the information available to Collective Brains, provide reasonable assistance to you to enable you to comply with your obligations under Applicable Data Protection Laws.
    • Deletion on Termination. Upon termination or expiration of the Agreement, Collective Brains will delete all your Personal Data in its possession or control, except to the extent Collective Brains is required to retain some or all of all of your Personal Data to comply with its legal obligations or to the extent your Personal Data is archived on Collective Brains’ backup systems, which Personal Data Collective Brains will protect from any further processing and eventually delete in accordance with Collective Brains’ data retention policies, except to the extent required by applicable law.
    • General Authorization. Collective Brains may use, and you hereby provide a general authorization for Collective Brains to use, Subprocessors as necessary to perform its obligations under the Agreement, including Processing your Personal Data, provided that Collective Brains will only use Subprocessors that (a) have a legitimate business need to Process your Personal Data in order for Collective Brains to fulfill its obligations, and (b) are bound in writing to ensures the Subprocessor only accesses and uses your Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of the Agreement.
    • Approval of Subprocessors. Collective Brains will not provide, transfer, or hand over any of your Personal Data to a Subprocessor unless you have approved the Subprocessor. Approved Subprocessors are identified in Exhibit 1. Collective Brains will inform you at least 10 business days before authorizing any new Subprocessor to access Personal Data. Collective Brains will give you sufficient information to allow you to exercise your right to object to the new Subprocessor, and you will have 30 days after notice of such change to the Approved Subprocessors to object. If you do not object within such 30-day period, you will be deemed to have accepted the new Subprocessor.

If you object to the new Subprocessor within the 30-day period, you and Collective Brains will cooperate in good faith to resolve your objection. You understand and accept that your objection may result in Collective Brains being unable to full our obligations under the Agreement to the extent such obligations are related to the relevant Subprocessor, and such inability to full our obligations shall not be deemed a breach of this DPA; provided, however, in the event such inability substantially impairs your ability to use the Platform, you may terminate the your account and the Agreement without liability.

  • Under GDPR. If the GDPR applies to the Processing of your Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) Collective Brains’ agreement with the Subprocessor will incorporate these obligations, including details about how Collective Brains and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of your Personal Data. In addition, Collective Brains will share, at your request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including personal data, Collective Brains may redact the text of its agreement with its Subprocessor prior to sharing a copy.
  • Liability. Collective Brains remains responsible for any Processing of your Personal Information, including acts or omissions of any Subprocessors. Collective Brains will promptly notify you of any failure by its Subprocessors to fulfill a material obligation under the agreement between Collective Brains and its Subprocessor with respect to your Personal Data.
  1. Restricted Transfers
    • Authorization. You agree Collective Brains may transfer your Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Collective Brains transfers your Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Collective Brains will implement appropriate safeguards for the transfer of your Personal Data to that territory consistent with Applicable Data Protection Laws.
    • Ex-EEA Transfers. You and Collective Brains agree that if the GDPR protects the transfer of your Personal Data, the transfer is from you from within the EEA to Collective Brains outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, you and Collective Brains are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:
      1. Module Two (Controller to Processor) of the EEA SCCs apply when you are a Controller and Collective Brains is Processing your Personal Data for you as a Processor.
      2. Module Three (Processor to Sub-Processor) of the EEA SCCs apply when you are a Processor and Collective Brains is Processing your Personal Data on your behalf as a Subprocessor.
      3. For each module, the following applies (when applicable):
        1. The optional docking clause in Clause 7 does not apply;
        2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days;
  • In Clause 11, the optional language does not apply;
  1. All square brackets in Clause 13 are removed;
  2. In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Governing Member State;
  3. In Clause 18(b), disputes will be resolved in the courts of the Governing Member State;
  • The Governing State will be The Netherlands; and
  • The information required in Annex I, Annex II, and Annex III of the EEA SCCs is provided in Exhibit 2.
  • Ex-UK Transfers. User and Collective Brains agree that if the UK GDPR protects the transfer of User Personal Data, the transfer is from User from within the United Kingdom to Collective Brains outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, User and Collective Brains are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. The law governing UK transfers under this Section 6.3 shall be the Laws of England and Wales. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:
    1. Section 2.2 of this DPA contains the information required in Table 2 of the UK Addendum.
    2. Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the Parties will work in good faith to revise this DPA accordingly.
    3. The Cover Page contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.
  • Other International Transfers. For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.
  1. Security
    • Security Policy. Collective Brains will use commercially reasonable efforts to secure the Platform from unauthorized access, alteration, or use and other unlawful tampering (the foregoing, the “Security Policy”).
    • Incident Response. Upon becoming aware of any Security Incident, Collective brains will: (a) notify you without undue delay when feasible, but no later than 72 hours after becoming aware of a Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by you; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Collective Brains’ notification of or response to a Security Incident as required by this DPA will not be construed as Collective Brains’ acknowledgment of any fault or liability for the Security Incident.
  2. Audit & Reports
    • Audit Rights. Collective Brains will give you all information reasonably requested to demonstrate compliance with this DPA and Collective Brains will allow for and contribute to audits, including inspections by you, to assess Collective Brains’ compliance with this DPA. Requests for such information can be made to However, Collective Brains may restrict access to data or information if your access to the information would negatively impact Collective Brains’ intellectual property rights, confidentiality obligations, or other obligations under Applicable Law. You acknowledge and agree that you will only exercise your audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Collective Brains to comply with the reporting and due diligence requirements below. Collective Brains will maintain records of its compliance with this DPA for 3 years after the DPA ends.
    • Security Reports. Upon written request, Collective Brains will give you, on a confidential basis, a summary copy of its most current Report, if available, so that you can verify Collective Brains’ compliance with the standards defined in the Security Policy.
    • Security Due Diligence. In addition to the Report, Collective Brains will respond to reasonable requests for information made by you to confirm Collective Brains’ compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to the and may only be made once a year.
  3. Coordination & Cooperation
    • Response to Inquiries. If Collective Brains receives any inquiry or request from anyone else about the Processing of your Personal Data, then unless prohibited by Applicable Law, Collective Brains will notify you about the request and will not respond to the request without your prior consent. If allowed by Applicable Law, Collective Brains will follow your reasonable instructions about these requests, including providing status updates and other information reasonably requested by you. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of your giving of your Personal Data to Collective Brains, Collective Brains will assist you in fulfilling the request according to the Applicable Data Protection Law. Collective Brains will cooperate with and provide reasonable assistance to you, at your expense, in any legal response or other procedural action taken by you in response to a third-party request about Collective Brains’ Processing of your Personal Data under this DPA.
    • Assessments. If required by Applicable Data Protection Laws, Collective Brains will reasonably assist you in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and your Personal Data.
  4. Deletion of Your Personal Data
    • Deletion at DPA Expiration.
      1. After the DPA expires, Collective Brains will return or delete, or provide you with the means to return or delete, your Personal Data at your instruction unless further storage of your Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, Collective Brains will make reasonable efforts to prevent additional Processing of your Personal Data and will continue to protect your Personal Data remaining in its possession, custody, or control.
      2. If the parties have entered the EEA SCCs or the UK Addendum as part of this DPA, Collective Brains will only give you certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if you ask for certification.
  1. Limitation of Liability
    • Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the User Agreement.
    • Related-Party Claims. Any claims made against you or your affiliates arising out of or related to this DPA may be brought only by the entity that is a party to the User Agreement.
    • Exceptions. This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.
  2. Conflicts Between Documents

This DPA forms part of and supplements the User Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the order of precedence shall be as follows: (1) the EEA SCCs or the UK Addendum, (2) this DPA, (3) the User Agreement.

  1. Term of DPA

This DPA will be become effective when the User Agreement becomes effective and will continue until the User Agreement expires or is terminated. However, the parties will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until you stop transferring your Personal Data to Collective Brains and Collective Brains stops Processing your Personal Data.



Exhibit A

Approved Subprocessors


Country of Location

Processing Task

Thinkific, Inc.

United States

Platform infrastructure

The Rocket Science Group LLC dba Mailchimp

United States

Email communications

Wallwisher, Inc. DBA Padlet

United States

Online noticeboard


United States

Surveys, questionnaires

Individual Mentors


Provide mentoring services via the Collective Brains Platform