This data processing agreement shall apply to all customers where Kahoot! is acting as a data processor, unless Kahoot! and the customer have entered into a separate agreement governing data processing, such as a US state specific DPA for the educational sector.

Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the legal agreement between you (the “Customer”) and Kahoot! for your use of the Kahoot! Services (the “Agreement”).

1. Definitions

For the purposes of the DPA the following definitions apply;

“Customer Personal Data” means the categories of Personal Data that are set out in Annex A to this DPA and that are Processed by Kahoot! on behalf of the Customer.

“Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation or the “GDPR”) (ii) means the GDPR as it forms part of domestic law in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018; (iii) the Norwegian legislation implementing the GDPR; and (iv) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each as applicable and each as amended, consolidated or replaced from time to time.

“New Sub-Processor” means any Sub-Processors engaged by Kahoot! after the effective date of the Agreement.

“Personnel” means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.

“SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries and/or, where applicable, the addendum to those standard contractual clauses or international data transfer agreement published by the Information Commissioner’s Office for data transfers from the UK.

“Sensitive Data” means: (i) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, credit, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (v) account passwords; (vi) personal data relating to criminal convictions or offences, or (vii) other information that falls within the meaning of “special categories of data” or “sensitive data” under applicable Data Protection Laws.

“Sub-Processor” means an entity to which Kahoot! subcontracts its processing of the Customer Personal Data.

“Data Subject”, “Controller”, “Personal Data”, “Personal Data Breach”, “Processing” (with “Process” and “Processed” to be construed accordingly) and “Processor” shall have the meaning provided to such term under the GDPR.

“Supervisory Authority” shall have the meaning given to the term under the GDPR, or shall refer to the Information Commissioner’s Office to the extent the UK GDPR applies.

All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA and any relevant SCCs (where implemented in connection with the Agreement).

2. Roles and responsibilities

The parties acknowledge and agree that with regards to the Processing of Customer Personal Data in the course of providing the Services, Customer is the Controller and Kahoot! is a Processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).

In the course of providing the Services, Kahoot! shall Process Customer Personal Data only:

• in accordance with Customer’s documented lawful instructions as set forth in this DPA; except when required to Process any Customer Personal Data: (i) in relation to any EU/EEA member state, by the laws of the EU/EEA or an EU/EEA member state; or (ii) in relation to the UK, by the laws applicable in the UK, in which case Kahoot! shall inform Customer in advance of such Processing, to the maximum extent permitted by applicable law, or as otherwise agreed in writing; and
• to the extent necessary in connection with this DPA or the Services, including as described in Annex A below, (together, the “Permitted Purposes”).

If at any point, Kahoot! becomes unable to comply with Customer’s instructions regarding the Processing of Customer Personal Data (whether because Kahoot! believes that an instruction infringes the applicable law of the United Kingdom, or applicable EU/EEA law or national law of an EU/EEA Member State, or as a result of a change in applicable law, or a change in Customer’s instructions), Kahoot! shall reasonably promptly:

• notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the extent permitted by applicable law; and
• cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Kahoot! is able to comply.

The Customer shall: (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its Processing of Customer Personal Data and any Processing instructions issued to Kahoot!; and (ii) provide all notices and obtain all consents and rights necessary under Data Protection Laws for Kahoot! to Process Customer Personal Data for the purposes described in the Agreement. This DPA does not relieve the Customer’s obligations under Data Protection Law.

The Customer shall not provide (or cause to be provided) any Sensitive Data to Kahoot! for Processing under the Agreement, and Kahoot! will have no liability for Sensitive Data, whether in connection with a Personal Data Breach or otherwise.

Notwithstanding the foregoing, in the event that the Customer provides Sensitive Data to Kahoot!, Kahoot! shall not be obliged to Process such Sensitive Data.

3. Security

Subject to Section 8, Kahoot! will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, any other breach of security, and take reasonable steps to ensure a level of security appropriate to the risks arising from its Processing activities, in accordance with applicable Data Protection Law. The security measures shall at all times be designed to preserve the security and confidentiality of Customer Personal Data in accordance with Kahoot!’s security standards set out in Annex B to this DPA.

Kahoot! shall take reasonable steps to ensure: (i) that Customer Personal Data are kept confidential; and (ii) that all relevant Kahoot! Personnel and any relevant Sub-Processors have committed themselves to ensuring the confidentiality of all Customer Personal Data that they Process.

Kahoot! shall ensure that Customer Personal Data is solely Processed by Kahoot!’s Personnel who are authorized by Kahoot! to Process Customer Personal Data.

Customer is responsible for reviewing relevant information pertaining to data security as is made available by Kahoot!. Based on such information, the Customer shall make an independent assessment on whether the Kahoot! Service complies with the Customer’s obligations pursuant to applicable laws, including Data Protection Laws. Customer understands that Kahoot!’s security measures may be updated or modified as needed, provided that such updates and/or modifications do not negatively affect the overall level of security for the Kahoot! Services provided to Customer.

 

4. Personal Data Breach and other notifications

Kahoot! shall:

• reasonably promptly notify the Customer of:
  • any confirmed Personal Data Breach affecting Customer Personal Data upon becoming aware thereof;
  • receipt of any correspondence or communication from any Data Subject or Supervisory Authority regarding the Processing of Customer Personal Data; and
• promptly take reasonable steps to contain and investigate any Personal Data Breach affecting Customer Personal Data.

Kahoot!’s notification of, or response to, a Personal Data Breach under this Section 4 shall not be construed as an acknowledgment by Kahoot! of any fault or liability with respect to the Personal Data Breach.

5. Cooperation with the Customer

In respect of the Processing of Customer Personal Data, taking into account the nature of the Processing and the information available to Kahoot!, Kahoot! shall, at the Customer’s written request and expense, reasonably promptly assist the Customer with the Customer’s legal obligations under Data Protection Law by providing the Customer with any reasonable technical and organizational assistance necessary to:

• implement appropriate technical and organizational measures for the purpose of complying with Data Protection Law;
• enable the Customer to respond appropriately to requests from relevant Data Subjects to exercise their rights;
• notify the appropriate Supervisory Authority and Data Subjects, where required, of any Personal Data Breach affecting Customer Data;
• carry out data protection impact assessments where required by applicable Data Protection Law;
• obtain any necessary authorizations from Supervisory Authorities where required by applicable Data Protection Law; and
• conduct prior consultations with Supervisory Authorities where required by applicable Data Protection Law.
  For the avoidance of doubt, Kahoot! shall be entitled to receive remuneration for any documented costs Kahoot! incurs in connection with its assistance under this Section 5.

6. Audit and compliance review

Kahoot! shall, in relation to its Processing of Customer Personal Data, maintain documentation of its compliance with this DPA and Data Protection Law, including written records of all Customer Personal Data Processed on behalf of the Customer. Kahoot! shall provide access to the aforementioned documentation upon the Customer’s reasonable notice.

At the Customer’s request and expense, Kahoot! shall: (i) promptly provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Law, to the extent that Kahoot! is reasonably able to provide such information; and (ii) subject to Section 8, allow for and contribute to audits, including inspections, conducted by the Customer of Kahoot!’s premises and security systems specific for Customer, as Customer may reasonably require to ascertain compliance with Data Protection Law.

The Parties shall agree on the timing of such audits, including the scope and methods for the audits. Unless otherwise agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the performance of such audits are necessary for the Customer’s compliance with Data Protection Law. The Customer shall give Kahoot! reasonable notice of the audit. The audit shall be conducted in a manner that causes the least possible disruption to Kahoot!’s ordinary operations. Further, all on-site audits shall be restricted to Kahoot!’s standard opening hours, and Kahoot! shall provide the Customer with copies of Kahoot!’s then-current policies and procedures regarding access to its premises, and the Customer shall procure that all Personnel involved in such on-site audits shall abide by such policies and procedures at all times. The audit result shall be documented appropriately. No provision of this DPA shall entitle Customer, or any auditor, to access confidential information of Kahoot! or any third party. Kahoot! may object to any third-party auditor appointed by Customer if the auditor is, in Kahoot!’s reasonable opinion: (i) not suitably qualified or independent; (ii) a competitor, or affiliate of a competitor, of Kahoot!; or (iii) otherwise manifestly unsuitable for the role. Any such objection by Kahoot! will require Customer to appoint another auditor or conduct the audit itself.

The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense. The relevant third party may not be a competitor of Kahoot!.

Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the Customer. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that Kahoot! is in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be borne by Kahoot!.

7. Use of Sub-Processors

The Customer hereby grants Kahoot! a general authorization to subcontract its processing of the Customer Personal Data to a Sub-Processor, subject to this Section 7.

Kahoot! shall take reasonable steps to ensure that, in each instance in which it engages a Sub-Processor to Process any Customer Personal Data, it shall: (i) appoint such Sub-Processors in accordance with the Customer’s prior authorization as granted above; and (ii) use commercially reasonable efforts to enter into a written agreement with each Sub-Processor, requiring the Sub-Processor to comply with data protection obligations equivalent in all material respects to those imposed on Customer under this DPA with respect to the Processing of Customer Personal Data.

Kahoot! shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA and for any acts or omissions of such Sub-Processors that cause Kahoot! to breach any of its obligations under this DPA.

Kahoot! will inform the Customer if Kahoot! intends to appoint or use a New Sub-Processor to the extent applicable to the Processing of Customer Personal Data by updating the list of Kahoot!’s current Sub-Processors available here. If the Customer has reasonable grounds to object to Kahoot!’s use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under Data Protection Law, the Customer shall notify Kahoot! thereof in writing within fifteen (15) calendar days after receipt of Kahoot!’s notice.

Following such an objection from the Customer, Kahoot! shall be entitled to terminate the Agreement for convenience without being obligated to refund any amounts that the Customer has already paid, to the fullest extent permitted under applicable law.

8. Obligations of Customer

Customer warrants that it shall at all times comply with its obligations under Data Protection Laws in respect of Kahoot!’s engagement to Process any Customer Personal Data.

Customer acknowledges that the security measures set out in Annex B below are sufficient for the purposes of Processing the Customer Personal Data under this DPA.

Customer shall not, whether through action or omission, place Kahoot! in breach of any Data Protection Laws.

9. International Transfers

Customer agrees that Kahoot! shall be entitled to transfer and Process Customer Personal Data within the EU/EEA and the UK.

Subject to Section 7, Customer acknowledges that Kahoot! may transfer and Process Customer Personal Data to areas outside the EU/EEA/UK. Kahoot! shall take all reasonable steps to ensure that such transfers are made in compliance with the requirements of the Agreement, this DPA and Data Protection Law.

To the extent that Kahoot! transfers Customer Personal Data protected by Data Protection Laws to a country outside of EU/EEA/UK that is not recognized as providing an adequate level of protection for personal data (as described in applicable Data Protection Law), Kahoot! shall ensure that the transfer is based on the appropriate version(s) of the SCCs. Kahoot! shall enter into written agreement including appropriate SCCs with all of Kahoot!’s Sub-Processors that might Process Customer Data outside the EU/EEA/UK, and shall require that its Sub-Processors abide by and Process Data in compliance with the SCCs.

10. Return or Deletion of Data

Upon termination of the Agreement, Kahoot! shall delete or return to Customer, at Customer’s choice, all Customer Personal Data in Kahoot!’s possession or control within sixty (60) days after the termination. This requirement shall not apply to the extent Kahoot! is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in back-up systems, which Kahoot! shall securely isolate, protect from any further Processing and eventually delete in accordance with Kahoot!´s deletion policies, except to the extent required by applicable law.

Annex A – Details of Data Processing

Processor:
Kahoot! is the Processor of Customer Personal Data.

Controller:
The Customer is the Controller of Customer Personal Data.

Subject matter:
Processing of Customer Personal Data by Kahoot! on behalf of the Customer under, or in connection with, the Agreement.

Duration of Processing:
Kahoot! will Process Customer Personal Data as outlined in Section 10 (Return or Deletion of Data) of this DPA.

Purposes of Processing:
Kahoot! shall only Process Customer Personal Data for the following purposes: (i) Processing as necessary to provide the Kahoot! Services in accordance with, or in connection with, the Agreement; (ii) Processing initiated by Customer in its use of the Kahoot! Services; and (iii) Processing to comply with any other reasonable instructions by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.

Nature of the Processing:
Kahoot! provides a learning platform, and related services, that allows users to create and upload content, play and host games and invite others to join a game, as more particularly described in the Agreement.

Data Subjects:
Customer personnel and users of Services.

Categories of Customer Personal Data:
The Customer may upload, submit or otherwise provide certain Personal Data to or for the use of the Services, the extent of which is typically determined and controlled by the Customer in its sole discretion, and may include email addresses (required for login), organization (required), username, name, location, picture, video, game scores, in-game activities, and profile bio.

Sensitive Data:
It is not the intention of either Party that Kahoot! should Process any Sensitive Data as part of the provision of the Services.

Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 3 of this DPA).

 

Archived Data Processing Agreements:

Archived DPA Effective through: January 21, 2025