Emerging Educational Consulting Data Processing Agreement (DPA)
Effective Date: July 25, 2025
Controller:
Emerging Educational Consulting
826 N Marion St, Denver, CO 80218
Email: info@emergingconsulting.com
Each a “Party” and collectively, the “Parties”.
This Agreement forms part of any underlying service or vendor agreement (“Principal Agreement”) between the Parties and governs the Processor’s handling of personal data on behalf of the Controller.
1. Definitions
Controller:
The natural or legal person, public authority, agency, or other body which alone or jointly determines the purposes and means of the processing of personal data. For the purposes of this Agreement, Emerging Educational Consulting is the Controller.
Processor:
A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller. This includes vendors, service providers, contractors, or partners engaged under a Principal Agreement with Emerging Educational Consulting to carry out specific processing activities.
2. Purpose and Scope
1.1 This Agreement outlines the roles and responsibilities of each Party with respect to the processing of personal data in accordance with:
- The General Data Protection Regulation (GDPR) (EU)
- The California Consumer Privacy Act (CCPA/CPRA)
- The Colorado Privacy Act (CPA)
- Applicable U.S. state and federal data protection laws
1.2 Emerging Educational Consulting (“Controller”) determines the purposes and means of processing personal data. The Processor will process personal data only in accordance with this Agreement and documented instructions from the Controller.
3. Nature of Processing
- Subject Matter: Processing personal data for educational advisory, digital communication, CRM integration, or administrative support
- Purpose: To support delivery of educational consulting services and related activities
- Types of Personal Data: Name, email, phone number, educational interests, usage logs, browser/device information
- Data Subjects: Students, parents/guardians, institutional clients, website visitors
- Duration: For the duration of the Principal Agreement and any legally required retention period
4. Processor Obligations
The Processor agrees to:
3.1 Process personal data only on documented instructions from the Controller unless otherwise required by law.
3.2 Ensure all personnel with access to the data are bound by confidentiality agreements.
3.3 Implement and maintain appropriate technical and organizational security measures in accordance with Article 32 of the GDPR and equivalent U.S. standards.
3.4 Assist the Controller in fulfilling its obligations regarding data subject rights, security, breach notification, and impact assessments.
3.5 Notify the Controller promptly (and within 72 hours if under GDPR) of any actual or suspected personal data breach.
3.6 Provide reasonable cooperation during audits or inspections initiated by the Controller, and make available documentation necessary to demonstrate compliance with this Agreement and applicable laws.
5. Subprocessors
4.1 The Processor may engage subprocessors to perform specific services. A current list of subprocessors must be provided to the Controller upon request.
4.2 The Processor shall ensure all subprocessors are contractually bound to equivalent data protection obligations.
4.3 The Controller retains the right to object to the use of any new subprocessor that presents a material risk to personal data privacy or security.
6. International Data Transfers
5.1 Personal data shall not be transferred outside the United States or European Economic Area (EEA) without:
- Adequate safeguards (e.g., Standard Contractual Clauses, adequacy decisions), or
- Prior written authorization from the Controller
7. Rights of Data Subjects
The Processor must:
- Promptly forward any request received from a data subject (e.g., access, correction, deletion) to the Controller
- Not respond directly unless specifically instructed by the Controller
- Assist the Controller in fulfilling such requests when applicable
8. Data Deletion and Return
Upon termination of services, the Processor shall:
- Return or securely delete all personal data at the Controller’s request, unless retention is required by law
- Confirm in writing that all data has been deleted or returned
9. Compliance and Liability
Each Party shall be responsible for its own acts or omissions under applicable data protection laws. The Processor shall be liable for damages caused by its failure to comply with this Agreement or relevant laws.
10. No Separate Signature Required
This DPA is deemed accepted and binding upon:
- The Processor’s continued processing of personal data on behalf of Emerging Educational Consulting
- Execution or continuation of any service agreement, SOW, or Principal Agreement referencing Emerging’s data policies or services shall constitute the Processor’s acceptance of this Data Processing Agreement and its binding effect.
This DPA remains in effect for the duration of the Principal Agreement or for as long as the Processor processes personal data for Emerging.
11. Contact and Questions
For questions about this DPA or data protection practices, contact:
Emerging Educational Consulting
Email: info@emergingconsulting.com
Website: www.emergingconsulting.com
If required by applicable law, Emerging Educational Consulting may designate a Data Protection Officer (DPO) or representative to manage compliance. Please contact info@emergingconsulting.com for data privacy inquiries.
