EU-U.S. PRIVACY SHIELD FRAMEWORK
Vanta Education, Inc. and BPP (individually and collectively, the “Company”) participates in the EU-U.S. Privacy Shield Framework (the “Framework”). Company’s participation in the Framework applies to personal data received in the United States from the European Union (“EU”) about employees (“EU Employee Data”), students (“EU Student Data”), clients (“EU Client Data”) and suppliers (“EU Supplier Data”) (collectively, “EU Personal Data”). In addition to having implemented Standard Contractual Clauses for the transfer of certain EU Personal Data, we are committed to subjecting such EU Personal Data to the Framework to the extent that we have received it in reliance on the Framework, including its Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. To learn more about the Framework, visit the U.S. Department of Commerce’s Privacy Shield List.

EU Personal Data Collection, Use, and Disclosure
EU Employee Data: The Company provides to EU employees a notice about the collection, use, and disclosure of their EU Employee Data through internal company policies.

EU Student and Prospective Student Data: The Company collects and processes the following categories of EU Student and Prospective Student Data: name, email address, student number, national ID number (where permitted by applicable law), city, telephone number, financial account information, network usage information, educational information (classes, grades, schedule, academic record). The Company will use and otherwise process EU Student and Prospective Data in the United States for the following purposes: educational related activities, finance and accounting related activities, technical support, and disaster recovery. The Company transfers EU Student and Prospective Student Data to the following types of third parties: student management system provider; IT helpdesk and support provider; backup storage provider.

EU Client and Prospective Client Data: The Company collects and processes the following categories of EU Client and Prospective Client Data: name, email address, client number, national ID number (where permitted by applicable law), city, telephone number, financial account information, network usage information, educational information (classes, schedule, educational record). The Company will use and otherwise process EU Client and Prospective Client Data in the United States for the following purposes: educational related activities, finance and accounting related activities, legal compliance activities, contracting, sales, technical support, and disaster recovery. The Company transfers EU Client and Prospective Client Data to the following types of third parties: client management system provider; IT helpdesk and support provider; backup storage provider.

EU Supplier Data: The Company collects and processes the following categories of EU Supplier Data: name, email address, mailing address, telephone number, financial account information. The Company will use and otherwise process EU Supplier Data in the United States for the following purposes: finance and accounting related activities, legal compliance activities, contracting, sales, project management, technical support, and disaster recovery. The Company transfers EU Supplier Data to the following types of third parties: supplier management system provider; IT helpdesk and support provider; backup storage provider.

Rights of EU Data Subjects
If you are an EU data subject, you have the right to access your own EU Personal Data subject to certain limitations, such as where the legitimate rights of other persons would be infringed or where the burden or expense of providing access would be disproportionate. If you wish to exercise such rights, please contact us as described below.

Choices of EU Data Subjects
Students and clients have the right to exercise choice (opt-out) from our use of their EU Student Data or EU Client Data for direct marketing purposes. To exercise this right, please email privacy@vantaedu.com or follow the instructions in any direct marketing message you may have received. We do not otherwise use or disclose EU Student Data and EU Client Data in a manner that is subject to choice requirements under the Framework. We describe the choices for EU Employee Data through internal company policies.

Recourse, Enforcement, and Liability
Please contact us as specified below if you have any questions, need access to your EU Personal Data, or otherwise need assistance. We remain responsible for our collection, use and disclosure of EU Personal Data in accordance with the Framework. We also are responsible for third party agents that are processing such data on our behalf, unless we prove that we are not responsible for the event giving rise to the damage. In certain situations, we may be required to disclose EU Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

If you have an unresolved concern about EU Personal Data that we have not addressed satisfactorily, we have committed to cooperate with the panel established by the EU Data Protection Authorities to serve as our independent dispute resolution body for the Framework. We are also subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to the Framework. In addition, under certain conditions, more fully described on the Privacy Shield website, EU residents may invoke binding arbitration for non-monetary issues when other dispute resolution procedures have been exhausted.

Contact Us

Please contact us at privacy@vantaedu.com if you have any questions, wish to exercise your rights of access, or seek other assistance as described above.