At ClassDojo, we take our commitment to your privacy and data protection seriously, that's why every ClassDojo product is designed with privacy and security first. We believe you should have meaningful control over your data and know exactly how it is used. As a US-based company, we store user data in the United States. Certain jurisdictions require specific legal requirements to be met in order to transfer this personal data from your location to the United States. When personal data is transferred outside of the European Economic Area (“EEA") or the United Kingdom (“UK”), the General Data Protection Regulation, including as implemented or adopted under the laws of the UK (“GDPR”), requires specific conditions to be fulfilled to ensure an equivalent level of protection for this data. Similar requirements are in place under the laws of Switzerland.
How can Personal Data from the EEA, the UK or Switzerland be Lawfully Transferred to the U.S.?
International transfers of personal data are regulated under the GDPR to ensure the continued protection of personal data once outside of the EEA and the UK. To ensure this, in the EEA and the UK, the GDPR sets forth the circumstances in which international transfers may take place. Swiss law takes a similar approach. These circumstances include:
- Where an adequacy decision has been adopted. In the EEA, adequacy decisions are adopted by the EU Commission where it has decided the recipient country ensures an adequate level of protection for personal data. A list of adequacy decisions is available here. In the UK, the Government similarly adopts adequacy regulations. This includes the EU- U.S. Data Privacy Framework (“EU- U.S. DPF”), the UK Extension to the EU- U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (Swiss U.S. DPF) (collectively, the “DPF Programs”) are examples of adequacy decisions;
Where a derogation or transfer mechanism is available:
- Article 49 derogations (such as consent); or
Appropriate safeguards (i.e. transfer mechanism) which can be outlined in a legally binding instrument, such as a contract between two parties. The following have been determined to be valid transfer mechanisms under this approach:
- The European Commission’s Standard Contractual Clauses (“SCCs”).
- The UK Information Commissioner’s International Data Transfer Agreement or Addendum to the SCCs (“UK Addendum”).
What Mechanism under the GDPR does ClassDojo use to Transfer Personal Data to the U.S.?
ClassDojo relies on the DPF Programs when transferring data either as a processor or controller (as that term is defined under the GDPR). Note, however, that until the Swiss U.S. DPF is formally approved, when ClassDojo is acting as a processor to schools located within Switzerland, we offer the SCC’s. Please ask your School Leader to contact us at firstname.lastname@example.org in order to obtain the SCC’s to further assist with meeting the GDPR legal requirements regarding personal data transfers to the United States. Please note this section below regarding the SCC’s prior to contacting us. Note that once the Swiss DPF is fully operational, ClassDojo will rely on this framework instead of the SCC’s as the transfer mechanism.
General Data Protection Regulations (GDPR)
Data Privacy Framework
ClassDojo complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively the “DPF Programs”). ClassDojo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. ClassDojo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. To learn more about the DPF Programs, and to view our certification, please visit https://www.dataprivacyframework.gov/.
ClassDojo is responsible for the processing of personal data it receives under the DPF Programs, and subsequently transfers to third-parties acting as an agent on its behalf. ClassDojo complies with the DPF Principles for all onward transfers of personal information from the EU, UK and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the DPF Programs, ClassDojo is subject to the jurisdiction and regulatory enforcement powers of the U.S. Federal Trade Commission and other authorized statutory bodies. In certain situations, ClassDojo may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
ClassDojo commits to resolve DPF Principles- related complaints about the collection and use of your personal data. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF Programs should contact us at email@example.com or using the form here. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ClassDojo commits to refer unresolved complaints concerning our handling of personal data received in reliance on the DPF Programs to Truste, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit here for more information or to file a complaint. The services of Truste are provided at no cost to you.
Under certain conditions, more fully described on the DPF Programs website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Standard Contractual Clauses:
The European Commission’s SCCs are legal contracts entered into between parties that are transferring personal data outside of the EEA into the U.S. The SCC’s may also be used for transfers of personal data outside of Switzerland.
The initial SCCs were drafted and approved by the European Commission in 2010. Following the Schrems II decision, the European Commission published a new draft of the SCCs to incorporate the requirements of GDPR and the Schrems II decision with the final version published on June 4, 2021 (the “New SCCs”). ClassDojo is using the DPF Programs as the transfer mechanism and will no longer rely on the New SCCs, except as noted below.
In the UK, the Information Commissioner continues to recognize the initial SCCs entered into on or before September 21, 2022 as valid (see below for further details), and will do so until March 21, 2024. For agreements entered into after September 21, 2022, the Information Commissioner has adopted an International Data Transfer Agreement (“IDTA”) as well as an International Data Transfer Addendum to the New SCCs (the “UK Addendum”). Please see below for more information:
- UK Schools: If you entered into our UK International Student Data Processing Addendum prior to September 21, 2022, you will have entered into SCCs with ClassDojo (“Prior UK DPA”). For any UK school that previously contracted with ClassDojo with the Prior UK DPAs, these contracts are still valid until March 21, 2024.
- EEA or Switzerland-based schools: For EEA- based schools, post December 27, 2022, all prior use of the SCC’s are no longer allowed as a valid transfer mechanism. However, the International Student Data Processing Addendum you previously entered into to provide required GDPR protections and meet GDPR requirements (separate from the transfer mechanism) still remain valid. Additionally, we now rely on the EU- U.S. DPF for the transfer mechanism. For any school based in Switzerland that wishes to update their contracts prior to the Swiss-U.S. DPF becoming effective, please see the “New Contracts” section below.
- UK schools: ClassDojo currently offers an International DPA and relies on the UK Extension and will no longer rely on the UK Addendum as the transfer mechanism. For any new contracts entered into post-September 21, 2022, please email firstname.lastname@example.org for more information on how to execute an International Data Processing Addendum.
- EEA -based schools: ClassDojo provides our International Student Data Processing Addendum and relies on the EU-U.S. DPF for the transfer mechanism and will no longer rely on the New SCCs as the transfer mechanism. If you would like to review or enter into ClassDojo's International Student Data Processing Addendum, please email email@example.com.
- Switzerland-based schools: ClassDojo provides our International Student Data Processing Addendum with the New SCCs. Additionally, ClassDojo is waiting for Switzerland to formally adopt the Swiss-U.S. DPF, and once adopted, will rely on the Swiss-U.S. DPF and will no longer rely on the New SCC’s as the transfer mechanism. If you would like to review or enter into ClassDojo's International Student Data Processing Addendum, please email firstname.lastname@example.org.