Between:
(1) The educational establishment referenced in the applicable Master Agreement, as defined below (School)
(2) Such member of the Joymo Group as referred to in the applicable Master Agreement, as defined below (Joymo)
Background
(A) The Customer and Joymo entered into an agreement (Master Agreement) of even date that may require Joymo to process Personal Information on behalf of the Customer.
(B) This DPA sets out the additional terms, requirements and conditions on which Joymo will, where it is considered a processor, process Personal Information when providing services under the Master Agreement.
1. Definitions
1.1 Controller, processor, data subject, personal data, personal data breach and processing: have the meanings given in the Data Protection Legislation.
1.2 Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;
1.3 EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
1.4 EEA: the European Economic Area.
1.5 Joymo Group: means any undertaking which is a subsidiary or holding company (or a subsidiary of any such holding company) of Joymo, as defined in Section 1159 of the Companies Act 2006) from time to time, including but not limited to:
1.5.1 Joymo AS, a limited liability company registered under the laws of Norway with reg. no. 916 959 311, whose company address is at Nedre Slottsgate 2c, 0153 Oslo, Norway;
1.5.2 Joymo UK Ltd, a company incorporated and registered in England with company number 13255919 whose registered office is at 1 Chapel Street, Warwick, United Kingdom, CV34 4HL; and
1.5.3 Joymo Sport Media Limited, a company incorporated and registered in England with company number 15346526 whose registered office is at 1 Chapel Street, Warwick, United Kingdom, CV34 4HL;
each being a member of the Joymo Group.
1.6 Personal Information: has the meaning given to it in Joymo's Privacy Policy.
1.7 UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
2. Personal Information Types, Purpose & Scope of Processing
2.1 The Customer and Joymo agree and acknowledge that for the purpose of the Data Protection Legislation:
2.1.1 in circumstances where Joymo shall be regarded as a processor, the School is the controller and Joymo is the processor.
2.1.2 the School retains control of the Personal Information and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Joymo.
2.1.3 Schedule 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Information categories and data subject types in respect of which Joymo may process the Personal Information to fulfil its obligations pursuant to the Master Agreement.
2.2 The School appoints Joymo to process Personal Information solely as necessary to provide the services described in the Master Agreement.
2.3 The categories of data, subjects and processing activities are set out in the Privacy Policy and at Schedule 1.
3. School Responsibilities
3.1 The School:
3.1.1 shall ensure that all Personal Information is supplied to Joymo lawfully, is accurate, and that data subjects have been appropriately informed.
3.1.2 is responsible for responding to data subject rights requests and for determining the lawful basis for all processing.
3.1.3 shall not issue instructions that would cause Joymo to violate any and all applicable laws (including but not limited to the Data Protection Legislation).
4. Joymo’s Responsibilities as Processor
4.1 Joymo shall:
4.1.1 process Personal Information only in accordance with Joymo's Privacy Policy, or otherwise on the documented instructions of the School, unless required otherwise by law.
4.1.2 ensure personnel authorised to process Personal Information are subject to confidentiality obligations.
4.1.3 implement appropriate technical and organisational measures, proportionate to the risks and the nature of the service.
4.1.4 rely on the accuracy, legality and completeness of Personal Information and instructions provided by the School.
5. Sub‑Processors
5.1 The School grants a general authorisation for Joymo to appoint sub‑processors as reasonably required for service delivery (e.g., cloud hosting, CDN, streaming infrastructure, analytics).
5.2 Joymo will ensure that sub‑processors are bound by obligations no more onerous than those in this DPA.
5.3 Joymo will:
5.3.1 upon request from the School, provide a current list of sub‑processors; and
5.3.2 notify the School of any intended changes to sub‑processors
6. Security
6.1 Joymo shall maintain security measures that are reasonable and appropriate, taking into account the cost of implementation, technology available, the nature of processing, and associated risks.
6.2 The School acknowledges that Joymo’s security framework is appropriate for the services provided.
7. Data Breach Notification
7.1 Joymo shall notify the School without undue delay upon confirming a personal data breach affecting School Personal Information.
7.2 The School remains responsible for all regulatory notifications, unless otherwise required by law.
8. Audit & Information Rights
8.1 The School may conduct one audit per 12‑month period, conducted remotely and subject to reasonable notice.
8.2 Audits shall first rely on Joymo’s certifications, third‑party audits, SOC/ISO reports or summary documentation.
8.3 All audit costs—including Joymo’s internal resource costs—are borne by the School.
9. Data Return & Deletion
9.1 On expiry or earlier termination of the Master Agreement, Joymo shall, at School’s written election, return or delete Personal Information, unless retention is required by law.
9.2 Joymo may retain minimal back‑ups on immutable storage subject to standard retention cycles.
10. Liability
10.1 Liability under this DPA is subject to the limitation‑of‑liability provisions in the Master Agreement. Joymo is not liable for breaches arising from:
10.1.1 School’s unlawful or inaccurate instructions;
10.1.2 inaccurate data supplied by the School; or
10.1.3 the School’s failure to implement complementary security measures.
11. International Transfers
11.1 Joymo may transfer data outside the EEA/UK where lawful safeguards exist (e.g., SCCs, IDTA, adequacy decisions).
11.2 The School acknowledges and accepts that the transfer mechanisms selected by Joymo are appropriate for the services.
12. Term
12.1 This DPA remains in effect for as long as Joymo processes Personal Information on behalf of the School.
Schedule 1 Details of Processing
1. Subject Matter of Processing: Processing Personal Information as necessary for Joymo to provide the services (and generally to fulfil its other obligations) under the Master Agreement.
2. Duration of Processing: For the duration of the Master Agreement and any legally required retention periods.
3. Nature & Purpose of Processing: Hosting/delivering audiovisual content; user account management; streaming events; payment processing (if applicable); analytics and reporting; technical troubleshooting.
4. Categories of Data Subjects: End‑users/viewers; students/student family members/participants/staff; School’s employees/admins; individuals in streamed content.
5. Categories of Personal Information: Identification data; login data; device and IP data; cookies; payment metadata; audiovisual content; support communications.
6. Special Categories: Not expected unless provided by School.
7. Sub‑Processing: Cloud hosting (AWS/GCP/Azure); CDN services; analytics providers; payment processors.
8. Data Transfers: International transfers may occur for hosting, support, or CDN distribution under appropriate safeguards.