Data Processing Addendum

Last Updated February 9, 2026

To the extent Carnegie Processes Client Personal Data subject to Privacy Laws as a Processor on behalf of Client (all as defined below), this Data Processing Addendum (“DPA”) forms part of the Master Services Agreement, Standard Terms and Conditions, or other agreement (“Agreement”) between Carnegie Dartlet LLC, (“Carnegie”) and the party identified in the Agreement (“Client”). Carnegie and Client are referred to collectively as the “Parties” and each a “Party.”

The obligations set forth in this DPA are in addition to, and not exclusive of, any obligations provided by law. To the extent any of the terms contained in this DPA conflict or are inconsistent with the Agreement, the terms contained in this DPA shall control. Except as modified in this DPA, the terms of the Agreement shall remain in full force and effect.

From time to time, Carnegie may modify this DPA. Any such changes or modifications shall be effective upon posting. By continuing to use or access the Services after any modifications come into effect, Client agrees to be bound by the modified DPA.

1.          Definitions.

1.1.       Client Personal Data means Personal Data that Carnegie Processes on behalf of Client in connection with Client’s use of the Services pursuant to the Agreement.

1.2.       Controller means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term “Controller” shall also include a “business” as defined in the CCPA and analogous terms in the Privacy Laws.

1.3.       Data Subject means an individual or household who is the subject of the Client Personal Data and to whom or about whom the Client Personal Data relates or identifies, directly or indirectly.

1.4.       Data Subject Request means any request by a Data Subject in respect of Client Personal Data.

1.5.       Deidentified Data means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a specific Data Subject.

1.6.       European Personal Data means Client Personal Data that is subject to the protection of European Privacy Laws.

1.7.       European Privacy Laws mean any applicable European data protection laws and regulations, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).

1.8.       Personal Data means (i) any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household; or (ii) any information that the relevant Privacy Laws otherwise define as “personal information” or “personal data.” Personal Data does not include Deidentified Data, aggregate or anonymized data, or publicly available data.

1.9.       Privacy Laws means any law or regulation applicable to the Processing of Client Personal Data under the Agreement, including but not limited to the European Privacy Laws and US Privacy Laws.

1.10.    Process, Processing, or Processed shall have the same meaning under the Privacy Laws, and shall include, but is not limited to, any operation or set of operations which is performed on Personal Data or sets of Personal Data, including to access, analyze, collect, destroy, disclose, maintain, manage, modify, receive, retain, transfer, use, or view, whether or not by automated means.

1.11.    Processor means the entity that Processes Personal Data on behalf of the Controller.  The term “Processor” shall also include a “service provider” as defined in the CCPA and analogous terms in the Privacy Laws.

1.12.    Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data.

1.13.    Services means services provided by Carnegie under the Agreement.

1.14.    Supervisory Authority means a government or regulatory authority responsible for administering, overseeing compliance with, and/or enforcing the Privacy Laws.

1.15.    US Privacy Laws means any applicable United States data protection laws and regulations, including but not limited to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); and the Utah Consumer Privacy Act (“UCPA”).

1.16.    writing or written references will include email.

1.17.    Capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the Agreement.

2.          Roles of the Parties. In respect of the Parties’ rights and obligations under this DPA regarding Client Personal Data, Client is the Controller (or a Processor Processing Client Personal Data on behalf of a third-party Controller) and Carnegie is the Processor (or Subprocessor, as applicable). If Client is a Processor, Client warrants to Carnegie that Client’s instructions and actions with respect to the Client Personal Data, including its appointment of Carnegie as another Processor, have been (and will, for the duration of this DPA, continue to be) authorized by the relevant third-party Controller.

3.          Client Responsibilities.

3.1.       Client (i) is solely responsible for determining the purposes and means of Processing Client Personal Data; (ii) has all necessary authority, grounds, rights, and permissions to provide Client Personal Data to Carnegie; and (iii) has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and rights necessary under the Privacy Laws for Carnegie to process Client Personal Data for the purposes described in the Agreement.

3.2.       Client shall have sole responsibility for the accuracy, quality, and legality of the Client Personal Data and the means by which Client acquired the Client Personal Data. Without prejudice to the generality of the foregoing, Client agrees that it shall be responsible for complying with all applicable laws (including the Privacy Laws), including those relating to obtaining consents (where required) to send texts and emails. Client will comply with applicable laws, including with all obligations as a Controller under the Privacy Laws, in respect of its Processing of Client Personal Data and any Processing instructions it issues to Carnegie.

3.3.       Client acknowledges that Carnegie is not responsible for determining which laws or regulations are applicable to Client’s business. Client is solely responsible for determining that the Services provided by Carnegie and the terms of the Agreement and this DPA meet Client’s business, contractual, and legal obligations. Client also will ensure that Client’s Processing instructions to Carnegie do not violate any Privacy Laws.

4.          Carnegie Responsibilities.

4.1.       Carnegie will Process Client Personal Data as outlined in Annex I, to the extent and in such a manner as is necessary to implement the rights and obligations under the Agreement, pursuant to Client’s instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). Where required by the Privacy Laws, Carnegie will promptly inform Client if, in Carnegie’s opinion, an instruction by Client concerning Client Personal Data infringes the Privacy Laws, and in the event Carnegie is required to Process Personal Data under applicable law, Carnegie will notify Client of that legal requirement before Processing, unless notification is prohibited by applicable law.

4.2.       Carnegie shall ensure that all of its personnel involved in the Processing of Client Personal Data have committed themselves to keeping Client Personal Data confidential or are under an appropriate statutory obligation of confidentiality in accordance with the Privacy Laws.

5.          Subprocessors.

5.1.       Client provides general authorization for Carnegie to engage third parties (“Subprocessors”) to Process Client Personal Data. Carnegie will enter into a written agreement with each Subprocessor that imposes on that Subprocessor obligations comparable to those imposed on Carnegie under this DPA. Where required by the Privacy Laws, if a Subprocessor fails to fulfill its obligations under such written agreement or under the Privacy Laws, Carnegie remains liable to Client for the Subprocessor’s performance of its obligations.

5.2.       Carnegie’s list of current Subprocessors is located at carnegiehighered.com/subprocessors. Carnegie will provide at least ten (10) days’ notice before allowing any new Subprocessor to Process Client Personal Data by updating its list of Subprocessors (“Subprocessor Notice Period”). Client may object to Carnegie’s appointment of a new Subprocessor during the Subprocessor Notice Period, provided that such objection is based on reasonable grounds. In such event, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Carnegie will either not appoint such Subprocessor or permit Client to suspend or terminate the affected Services in accordance with the termination provisions in the Agreement without liability to either Client or Carnegie.

6.          Data Subject Rights and Requests; Cooperation and Assistance.

6.1.       Carnegie will notify Client of any Data Subject Request without undue delay. Client is solely responsible for responding to any Data Subject Request. To the extent required by the Privacy Laws, Carnegie will, at Client’s expense, provide Client with assistance reasonably necessary to allow Client to respond to a Data Subject Request. Carnegie will not respond to a Data Subject Request except on documented instructions from Client or as otherwise required under the Privacy Laws.

6.2.       To the extent required by the Privacy Laws, following Client’s written request, Carnegie will, at Client’s expense, provide Client with reasonable assistance to help Client comply with its obligations under the Privacy Laws including, taking into account the nature of the Processing and the information available to Carnegie, reasonable assistance to help Client conduct a data protection impact assessment or consult with a Supervisory Authority.

7.          Security and Technical, Organizational, and Operational Measures. Carnegie will implement reasonable and appropriate administrative, technical, and physical measures appropriate to the risks that are presented by the Processing of Client Personal Data, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, use of, or access to Client Personal Data.

8.          Security Incident. Upon becoming aware of a Security Incident, Carnegie will (i) notify Client without undue delay; (ii) provide Client with information, subject to Carnegie’s privacy and data security policies, confidentiality and legal requirements, as may be reasonably necessary to assist Client with its notification and reporting responsibilities; and (iii) take appropriate steps to identify the cause of the Security Incident and minimize and secure the Client Personal Data, to the extent remediation is within Carnegie’s reasonable control. Carnegie’s acknowledgement of a Security Incident or decision to notify Client of a Security Incident is not an admission of fault or liability with respect to a Security Incident.

9.          Audits. To the extent required by the Privacy Laws and no more than once per year, Carnegie will (i) allow Client, or an independent third-party auditor appointed by Client, to conduct audits to ensure that Carnegie is complying with this DPA and the Privacy Laws; and (ii) provide, upon reasonable written notice, all necessary documentation to Client or the independent third-party auditor.

10.        Records. Carnegie will keep appropriate records regarding any Processing of Client Personal Data it carries out for Client as required by the Privacy Laws.

11.        CCPA.

11.1.    This Section 11 applies where the CCPA applies to the Processing of Client Personal Data under this DPA. For purposes of this Section 11, “Business,” “Business Purpose,” “Consumer,” “Commercial Purpose,” “Sell,” “Service Provider,” “Share,” and “Third Party” shall have the meanings ascribed to them in the CCPA.

11.2.    To the extent that Carnegie is acting as a Service Provider under the CCPA: Carnegie will not (i) Process Client Personal Data for any purpose, including any Commercial Purpose, except for the limited Business Purpose as permitted under the Agreement, this DPA, or under the CCPA; (ii) Process Client Personal Data outside of the direct business relationship between Client and Carnegie, including by not combining any Client Personal Data collected or received from another party except as otherwise permitted by the CCPA; or (iii) Sell or Share Client Personal Data. Carnegie will comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required of Businesses by the CCPA. Carnegie will notify Client if, in Carnegie’s opinion, Carnegie is unable to meet its obligations under the CCPA, unless such notice is prohibited by applicable law. Upon notice, Client has the right to take reasonable and appropriate steps to ensure that Carnegie uses the Client Personal Data in a manner consistent with its obligations under the CCPA and may take reasonable and appropriate steps to mitigate and remediate any unauthorized Processing of Client Personal Data.

11.3.    To the extent that Carnegie is acting as a Third Party under the CCPA: Carnegie will not Process Client Personal Data except for the limited purpose as permitted under the Agreement, this DPA, or under the CCPA. Carnegie will comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required of Businesses by the CCPA. Carnegie will notify Client if, in Carnegie’s opinion, Carnegie is unable to meet its obligations under the CCPA, unless such notice is prohibited by applicable law. Upon notice, Client has the right to take reasonable and appropriate steps to ensure that Carnegie uses the Client Personal Data in a manner consistent with its obligations under the CCPA and may take reasonable and appropriate steps to mitigate and remediate any unauthorized Processing of Client Personal Data.

12.        International Personal Data Transfers. For a transfer of Client Personal Data to a country not providing an adequate level of protection pursuant to the applicable Privacy Laws (“Non-Adequate Country”), the Parties shall (i) cooperate to ensure compliance with the applicable Privacy Laws; and (ii) implement transfers of Client Personal Data to a Non-Adequate Country in compliance with the requirements of the Privacy Laws and this DPA at all times. Without limiting the foregoing, to the extent that the Parties will transfer European Personal Data to or otherwise Process European Personal Data in a Non-Adequate Country, the Parties will enter into the Supplemental Data Processing Terms in order to comply with the European Privacy Laws. 

13.        Term and Termination. Unless terminated earlier pursuant to the Agreement or any other applicable provision of this DPA or any Privacy Laws, this DPA shall terminate upon the completion of Processing or termination of the Agreement, whichever is earlier. Following termination of this DPA, Carnegie will return, delete, anonymize, aggregate, or deidentify Client Personal Data pursuant to the terms of the Agreement and this DPA, unless Carnegie is required to maintain Client Personal Data pursuant to applicable law. If Carnegie is required to retain Client Personal Data following termination of the Agreement, Carnegie will continue to comply with its obligations relating to the Processing of Client Personal Data under this DPA and will promptly return, delete, anonymize, aggregate, or deidentify any such Client Personal Data after retention is no longer required.

14.        Liability. Notwithstanding anything to the contrary in the Agreement, including this DPA, Carnegie will not be liable for any claim made by a Data Subject arising from or related to Carnegie’s acts or omissions, to the extent that Carnegie was acting in accordance with Client’s instructions. Carnegie’s liability under or in connection with this DPA is subject to the exclusions and limitations on liability contained in the Agreement.

15.        Governing Law. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by the Privacy Laws.

ANNEX I

Details of Processing

Categories of Data Subjects: Data Subjects may include current and prospective students, Client personnel, and any other individuals whose Personal Data Client provides to Carnegie related to the Services.

Categories of Personal Data: Personal Data Processed may include identifiers (such as name, address, email address, phone number, IP address, account credentials and profile information, date of birth, and demographic information); internet or similar network activity information (such as information about internet connection, equipment, browsing history, and usage data, such as device type and identification number, browser type, internet service provider, operating system, and similar technical information); geolocation information; educational information; professional or employment-related information; and any other categories that Client provides to Carnegie related to the Services.

Categories of Sensitive Data: Client Personal Data Processed in relation to the Services is determined and controlled by Client and may include sensitive data, such as Client Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or gender identity.

Nature and Purpose of Processing: Carnegie provides college marketing, enrollment, and other related services, as more particularly described in the Agreement. Client Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to processing activities such as collection, use, storage, disclosure, and other Processing necessary to provide, maintain and improve the Services provided to Client pursuant to the Agreement and/or as compelled by applicable law. Carnegie will only Process Client Personal Data for the Permitted Purposes, which shall include: (i) Processing as necessary to provide the Services in accordance with the Agreement; (ii) Processing initiated by Client in its use of the Services; and (iii) processing to comply with any other reasonable instructions provided by Client that are consistent with the terms of the Agreement.

Duration: As outlined in Section 13 of this DPA.

Frequency: Continuous.

Retention: As outlined in Section 13 of this DPA.

Subprocessors: Subprocessors are outlined at carnegiehighered.com/subprocessors and the subject matter, nature and duration is as outlined above.