EN FR
Open Badge Factory
Features News About Integrations Help

Data Processing Addendum

Last Updated November 3, 2025

1. Introduction and Background

1.1   This Personal Data Processing Agreement (“DPA”) is an integral part of the Service Agreement (”Service Agreement”) entered into between Learning Agents Inc., a Canadian corporation (“Service Provider”), the provider of the CanCred Factory service, which is a service issuing and managing digital credentials (“Service”) and its customer (“Customer”) concerning the Service. Customer refers in this DPA to the entity that has entered into the agreement on the provision of the CanCred Factory service. This DPA is an essential and inseparable part of the Agreement. In this DPA, the Customer and the Service Provider are referred together as “Parties” and individually as a “Party”.

1.2   In this data processing agreement (“DPA”), the Service Provider acts as a processor on behalf of the Customer who acts as a controller. The Service Provider processes Personal Data as a processor on behalf of the Customer when it is providing the services.

The purpose of this DPA is to agree on the privacy and data protection of the Personal Data of the Customer and/or its employees, agents, subcontractors and customers processed by the Service Provider as part of the Service on behalf of the Customer pursuant to or in connection with the Service Agreement (“Customer Personal Data”). The Service Provider is committed to complying with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) and this DPA incorporates to the Service Agreement the relevant provisions of the GDPR.

1.3   The processing of Personal Data is described in more detail in SCHEDULE 1: DESCRIPTION AND DETAILS OF THE PERSONAL DATA PROCESSING which is included in this DPA.

1.4   In the event of any discrepancy between the content of the body of this DPA or any of the Schedules of the DPA, the Agreement or Data Protection Legislation, the following order of precedence shall be applied:

  1. Data Protection Legislation
  2. The Schedules to this DPA; the priority between the Schedules shall be determined in the numerical order, so that a schedule with a smaller number shall prevail over a schedule with a larger number
  3. This DPA
  4. The Agreement


2. Contact details

The Service Provider’s entity is:
Learning Agents Inc.

The Service Provider’s address is:
500 – 167 Lombard Avenue, Winnipeg, Manitoba R3B 0V3 CANADA

All reports and notifications to the Service Provider under this DPA shall be made by email to the email address:
info(at)learningagents.ca.


3. Definitions

3.1   In accordance with the GDPR, the terms below are defined as follows:

Controller” means the Customer, who determines the purposes and means/methods of the Processing of the Customer Personal Data.

Data Protection Legislation” means all applicable laws relating to protection of personal data, including without limitation the GDPR and any amendments thereto, and any other applicable EU or national privacy and data protection laws and regulations and any amendments thereto.

Data Subject” means a natural person whose Personal Data is processed by the Service Provider under the Agreement and this DPA.

Description and Details of the Personal Data Processing” means a Schedule to this DPA describing the Personal Data Processing taking place under this DPA.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any amendments thereto.

Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), and which the Service Provider is processing under the Agreement or otherwise, and of which the Customer is a data controller. In this regard, processing means any operation, or set of operations, performed by the Service Provider on Personal Data, by any means, such as collecting, organizing, storing, amending, retrieving, using, disclosing, transmitting, combining, blocking, erasing or destroying Personal Data.

Personal Data Breach” means a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, which is adverse to this DPA or Data Protection Legislation or otherwise unlawful.

Processor” means the Service Provider, who processes the Customer Personal Data on behalf of the Customer based on and for the purposes of fulfilling its obligations under the Service Agreement, this DPA and the documented instructions of the Customer.

Processing” means any operation or set of operation which is performed on the Customer Personal Data or sets of Customer Personal Data whether or not by automated means, such as data collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The words “process” and “processed” will have the same meaning as “processing”.

Subprocessor” means a processor acting on behalf of the Service Provider.


4. Rights and Obligations of the Customer

4.1   The Customer shall process Personal Data in compliance with Data Protection Legislation and good data processing practice.

4.2   This DPA automatically becomes effective between the Parties when the Customer accepts the public Terms of use of the Service and creates an account. This standard DPA applies to all license levels (Basic, Premium, Pro). The Customer may request an exception to execute a separately signed version of this DPA for an additional cost. If the Parties execute a separately signed DPA, that signed version shall supersede this automatic DPA. Any written instructions provided by the Customer to the Supplier are to be included in the separate DPA and the Schedules thereto. Any new or amended documented instructions from the Customer after the separate DPA is signed require a written agreement between the Parties. The Supplier is entitled to charge for additional costs for complying with new or amended documented instructions from the Customer and for other unexpected costs and expenses arising from tasks not included in the initial instructions from the Customer.

4.3   In addition, the Customer undertakes to:

  • 4.3.1   ensure that there is a legal ground for processing the Personal Data covered by this DPA, and that necessary data processing agreements in accordance with Data Protection Legislation are in force;

  • 4.3.2   ensure that the Data Subjects, as required by the Data Protection Legislation, have received sufficient information regarding the processing, including information on that the Service Provider may process the Personal Data on behalf of the Customer;

  • 4.3.3   immediately after it is brought to the Customer's attention, inform the Service Provider of any erroneous, rectified, updated or deleted Personal Data subject to the Service Provider's processing; and

  • 4.3.4   in a timely manner, provide the Service Provider with lawful and documented instructions regarding the Service Provider's processing of Personal Data.


5. Responsibilities of the Service Provider

5.1 General principles applicable to the processing of Personal Data

The Service Provider shall:

  • 5.1.1   process Personal Data in compliance with this DPA, Data Protection Legislation and good data processing practice;

  • 5.1.2   process Personal Data on documented instructions from the Customer, unless prescribed otherwise by a provision of Data Protection Legislation applicable to the Service Provider. In such case, the Service Provider shall inform the Customer of such requirement in reasonable time before beginning the processing of Personal Data in accordance with the instructions, unless informing of such requirement is prohibited in Data Protection Legislation. In case the Service Provider considers that instructions of the Customer are in breach of Data Protection Legislation, the Service Provider shall inform the Customer without undue delay;

  • 5.1.3   ensure that the persons in service of the Service Provider with access to Personal Data have committed themselves to appropriate confidentiality undertakings;

  • 5.1.4   carry out the measures prescribed in Section 5.2 (Data security) of this DPA;

  • 5.1.5   follow the conditions concerning the use of Subprocessors as prescribed in Section 8 (Subprocessors) of this DPA;

  • 5.1.6   taking into account the information available to the Service Provider, provide assistance to the Customer in responding to requests for exercising the rights of Data Subjects where the Customer does not have the needed information. The Service Provider is entitled to charge the Customer for costs and expenses that are incurred as a result of complying with this Section 5.1.6;

  • 5.1.7   taking into account the information available to the Service Provider, provide assistance to the Customer in ensuring compliance with its obligations set out in Data Protection Legislation, relating to data security, Personal Data Breaches (as further defined in Section 6 of this DPA), data protection impact assessments, and prior consulting obligations. The Service Provider is entitled to charge the Customer for costs and expenses that were incurred as a result of complying with this Section 5.1.7;

  • 5.1.8   at the choice of the Customer, delete or return Personal Data to the Customer as prescribed in Section 11.2 of this DPA;

  • 5.1.9   make available to the Customer all information necessary to demonstrate compliance with obligations set out in this DPA and in Data Protection Legislation. The Customer is obliged to keep all such information confidential. The Service Provider is entitled to charge the Customer for costs and expenses that were incurred as a result of complying with this Section 5.1.9;

  • 5.1.10   allow the Customer to perform audits as prescribed in Section 9 (Auditing) of this DPA.

5.2   Data security
The Service Provider shall implement technical and organisational measures to ensure an appropriate level of security to protect Personal Data against unauthorised access and loss, destruction, damage, alteration or disclosure, or against other unlawful processing. Technical and organizational measures shall be documented in SCHEDULE 3: LIST OF TECHNICAL AND ORGANISATONAL MEASURES.


6. Personal Data Breach Notification

6.1   The Service Provider shall notify the Customer of all Personal Data Breaches without undue delay after the Service Provider has become aware of the suspected Personal Data Breach.

The Personal Data Breach notification shall contain the following:

  1. description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;
  2. name and contact details of the contact person of the Service Provider handling the Personal Data Breach;
  3. description of likely consequences and/or realised consequences of the Personal Data Breach; and
  4. description of the measures the Service Provider has taken to address the Personal Data Breach and to mitigate its adverse effects.

6.2   If it is not possible to provide the information listed at the same time, the information may be provided in phases.

6.3   The Service Provider shall document Personal Data Breaches and disclose the documentation to the Customer upon the Customer’s request.

6.4   After the Service Provider has become aware of the Personal Data Breach, the Service Provider shall ensure security of Personal Data and take appropriate measures to ensure protection of Personal Data in cooperation with the Customer.


7. Transfers of Personal Data

7.1   The Service Provider shall not transfer Personal Data outside Canada unless the Customer has given its prior written permission for the transfer to take place and this permission is documented in writing. If a prior written consent has been acquired, the Service Provider shall ensure that an appropriate transfer mechanism is in place before the international transfer takes place.


8. Subprocessors

8.1   The Service Provider is entitled to use Subprocessors in the processing of Personal Data when the Customer has approved such Subprocessors. On the date the Customer enters into the Agreement and accepts the terms and conditions of this DPA, the Customer simultaneously agrees to the use of Subprocessors

8.2   The Service Provider is entitled to reduce the number of Subprocessors without separate notice.

8.3   The Service Provider shall notify the Customer about an addition of a Subprocessor processing Personal Data under this DPA at least one (1) month before the Subprocessor begins processing Personal Data. If the Customer denying the use of the new Subprocessor results in any additional costs or expenses for the Service Provider, e.g. if the engagement of another Subprocessor than the one initially proposed by the Service Provider would result in additional or increased costs or expenses by the Service Provider, the Service Provider shall be compensated by the Customer for such additional and/or increased costs and expenses. If the Service Provider and the Customer are not able to agree on engagement of another Subprocessor, the Service Provider has the right to terminate the Agreement, with a fourteen (14) days’ notice period from the denial, as a whole and/or with respect to services the Service Provider deems cannot be reasonably delivered under the Agreement due to the Customer denying the proposed Subprocessor.

8.4   The Service Provider shall ensure that Subprocessors comply with obligations corresponding to those specified in this DPA, including security and confidentiality requirements. The Service Provider remains liable for its Subprocessors and the work of its Subprocessors as for its own.


9. Auditing

9.1   The Customer or a third party (not a competitor of the Service Provider) appointed by the Customer shall have the right to audit the Service Provider’s compliance with obligations set out in this DPA and Data Protection Legislation in order to ensure that the Service Provider has fulfilled the obligations set out in this DPA.

9.2   The Customer shall bear the costs and expenses incurred by the Service Provider and the Customer in connection with the audit. The Customer shall bear fees and expenses of the third party and is responsible for all costs associated with the audit.

9.3   The Customer must notify the Service Provider of the audit at least thirty (30) business days in advance. The Service Provider shall assist the Customer and the third party during normal business hours in conducting the audit with reasonable measures. The audit shall be carried out as quickly as possible and it shall not disturb the Service Provider’s normal business operations. The auditor shall comply with the Service Provider’s work rules, security requirements and standards when conducting site visits. Before commencing any audit, the Customer or the independent auditor (including relevant parties/persons conducting the audit) shall enter into the non-disclosure agreement(s) provided by or approved by the Service Provider.

9.4   If the audit reveals shortcomings, the Service Provider shall correct such shortcomings without delay or at the latest within thirty (30) days of a written notice from the Customer, unless the Parties agree otherwise. Any material shortcomings that pose an obvious threat to data security shall be rectified without delay.


10. Limitation of liability

10.1   If any tangible or intangible damage is caused to a person due to a breach against the Data Protection Legislation or the DPA, the Service Provider shall be liable for the damage only in so far that it has not explicitly abided by the obligations directed to personal data processors in the Data Protection Legislation or this DPA.

10.2   Both parties are obligated to pay only the part of the damages or administrative fine that corresponds to its liability for damages confirmed in the final decision of a data protection authority or a court of law. However, the Service Provider shall not be liable for any damages or administrative fines to the extent such damages or administrative fines are caused, directly or indirectly, by any act or omission of the Customer. The Service Provider shall not be liable for lost profits or any indirect damages. For clarity, any administrative fines imposed on and paid by the Customer shall be considered indirect damages.

10.3   Otherwise, the liability of the Parties shall be determined pursuant to the Agreement. What has been agreed in this Section 10 shall not limit the applicability of what has been agreed on the limitation of liabilities in the Agreement.


11. Term and Termination

11.1   This DPA becomes effective when the Parties have entered into the Agreement and continues to be in effect until termination or expiration of the Agreement, provided the parties have no other obligations concerning Personal Data processing activities towards one another.

11.2   The Service Provider shall process Personal Data only during the term of this DPA. Upon termination or expiry of this DPA, or upon the Customer’s written request, the Service Provider shall either destroy or return, either to the Customer or to a third party designated by the Customer in writing, the Personal Data processed, unless otherwise required by Data Protection Legislation or other applicable legislation (including if EU or EEA member state law requires storage of the personal data). In case the Customer demands Personal Data to be returned to the Customer or transferred to a third party, the Customer will pay the Service Provider for any additional costs caused by return or transfer of Personal Data. If the Customer does not demand the Personal Data to be returned as provided above within a period of three (3) months from when this DPA was terminated or expired, the Service Provider will be entitled to delete any such Personal Data, including copies thereof, unless storage of the personal data is required under the Data Protection Legislation.

11.3   Notwithstanding the above-mentioned, upon the termination or expiry of this DPA, Personal Data that is necessary for the Service Provider to be able to host the badges issued under the DPA shall be disclosed to the Service Provider. The Service Provider will process such Personal Data as a controller only for the purposes of hosting the badges and allowing the Data Subjects to use, access and display the badges. This DPA shall no longer apply to such processing the Service Provider carries out as a controller.


SCHEDULE 1: DESCRIPTION AND DETAILS OF THE PERSONAL DATA PROCESSING


NATURE AND PURPOSES OF PROCESSING PERSONAL DATA

The nature of processing is collecting, dissemination or otherwise making available, storing and structuring.

The Service Provider shall process Personal Data only for the purpose of providing the Service, to allow the Customer to fill in information about the badge recipients in order to create individual badges for each badge recipient and in order to transfer badges to the recipients. Additionally, the Service Provider processes the personal data to host the badge and in order for it to be accessed, used and displayed by the Data Subject.

In addition, the Service Provider processes Personal Data to grant access to Service Customer’s user account, to maintain the accounts, and to grant view of the issued badges and other information on the account. The Service Provider may also take action, without consulting the Controller first, upon requests of Data Subjects exercising their rights under the GDPR and e.g., provide Data Subjects access to their Personal Data or delete their Personal Data upon explicit request.


CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA

The Categories of Data Subjects whose Personal Data is processed are Customer’s representatives, employees, students, business partners or other associates, members or its own customers, and any Data Subject who receives a badge from a customer.

The Service Provider shall process only the following categories of Personal Data:

Identification data of the Customer’s account users:

  • name
  • account password
  • email address


Contact data of the Customer’s account users:

  • email address


Technical data of the Customer’s account users and recipients, for example:

  • IP address, other technical information in relation to the use of the service
  • account name
  • account password
  • login data, login time
  • information relating to security incidents


Badge information of the recipients of the badge submitted by the Customer or by the badge recipient, for the purpose of issuing the badge, for example:

  • identification and contact data of the badge recipient: first name, surname, email
  • skills, trainings and educations completed and other accomplishments of the recipient
  • badge applicant’s work such as texts, images, or videos that may contain personal information
  • Social media shares (Linkedin and other services)


DURATION OF PERSONAL DATA PROCESSING

Personal Data shall be processed as long as it is necessary for provision of services under the Agreement.


SCHEDULE 2: LIST OF AUTHORISED SUBPROCESSORS

Customer has approved the use of Subprocessors as follows:

  • Subprocessor:
    • Amazon Web Services (AWS)
  • Purpose for processing Personal Data:
    • Service platform
    • Automated platform email messages (Amazon Simple Email Service)
  • Geographic location of Personal Data and applicable transfer mechanism if applicable:
    • Central Canada (Montreal area)


SCHEDULE 3: LIST OF TECHNICAL AND ORGANISATIONAL MEASURES (TOM)

Learning Agents’ services are GDPR compliant, and our policy aligns with the following Data Processing Agreement: https://factory.cancred.ca/dpa. The CanCred Factory platform is an instance of Open Badge Factory technology whose data privacy capacity is reviewed and vetted yearly by 1Edtech: https://site.imsglobal.org/certifications/open-badge-factory/open-badge-factory.

1. Access Control

Physical Access Control

CanCred Factory is hosted in Canada by Amazon Web Services (AWS Central Canada), a United States operator with data centres around the world that are compliant with GDPR.

AWS provides several compliance reports from third-party auditors who have tested and verified its compliance with a variety of security standards, including SOC 2 Type 2, ISO 27001, ISO 27017, and ISO 27018. In Canada, AWS services are also assessed by the Canadian Centre for Cyber Security.

The AWS data center security strategy is assembled with scalable security controls and multiple layers of defence that help to protect personal information. For example, AWS carefully manages potential flood and seismic activity risks. AWS uses physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. AWS backs up its systems, regularly tests equipment and processes, and continuously trains AWS employees to be ready for the unexpected. To validate the security of its data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. This independent examination helps ensure that security standards are consistently being met or exceeded. Learn more at https://aws.amazon.com/compliance/canada-data-privacy/#topic-0

Service Access Control

  • CanCred Factory service is protected with firewalls and TLS encryption.
  • Data processing and storage systems are secured with encrypted passwords (TLS).
  • Only authorized and named sysadmins have access, using two-factor authentication and encrypted connections.
  • Sysadmin activities are logged for security monitoring.

Isolation Control

CanCred Factory operates as a multi-client system, ensuring that each customer has a separate and isolated environment to protect their data.


2. Data Encryption

Encryption at Rest and in Transit: All data stored in the Service database is encrypted using industry-standard encryption protocols. Additionally, all data transmitted between systems or endpoints is secured through encryption to prevent unauthorized access.

  • All connections to CanCred servers use TLS encryption.
  • When personal data is erased, anonymization is applied if identifiers cannot be removed.


3. Physical Security

Open Badge Factory leverages AWS Central Canada’s secure data centers with advanced physical protection measures, including access controls, video monitoring, and robust infrastructure standards as mentioned under Physical Access Control.


4. Data Retention and Deletion

  • Backups are created daily to ensure data availability. Backups are for restoring service content in case of technical issues but do not restore end-user data accidentally deleted.
  • Data deletion processes comply with GDPR guidelines, including anonymization of identifiers when personal data is erased.


5. Incident Response

  • If a data breach occurs, CanCred Factory follows procedures outlined in paragraph 6 of the DPA, compliant with GDPR Article 33.
  • The breach response includes documenting the nature of the breach, consequences, measures taken, and notifications to supervisory authorities and customers within 72 hours.


6. Employee Training

  • Sysadmins follow strict protocols for access control, monitoring, and secure data management. Internal training ensures adherence to GDPR compliance.


7. Backup and Disaster Recovery

  • Full backups of service content are made daily using AWS’s backup systems.
  • Data centers are equipped with UPS systems, power generators, firewalls, and antivirus software.
  • Regular monitoring and operator-provided systems ensure resilience and availability of services.


8. Service Provider Management

  • CanCred Factory’s data is not processed by any third parties. AWS is the sole operator hosting the services, with GDPR-compliant certifications and processes. For more information see our DPA.
Up