Effective Date: January 1, 2025 | Last Updated: March 13, 2026

Data Processing Addendum


This DPA applies to the extent Enrolla processes Personal Data on your behalf in the course of providing the Services.

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or other written agreement between Snow Growth Marketing Inc. ("Enrolla") and Customer for use of the Enrolla Services. It applies to the extent Enrolla processes Personal Data on Customer's behalf.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by Enrolla on behalf of Customer.

"Processing" means any operation performed on Personal Data, including collection, storage, access, use, disclosure, or deletion.

"Subprocessor" means a third party engaged by Enrolla to process Personal Data.

"Security Incident" means the unauthorized access, use, or disclosure of Personal Data.

"Applicable Data Protection Laws" includes PIPEDA, the EU/UK GDPR (where applicable), CASL (with respect to electronic communications), FERPA (where applicable), and similar laws in jurisdictions relevant to Customer.

"Student Data" has the meaning given in the Master Services Agreement.

2. Roles of the Parties

Customer acts as the Data Controller (or equivalent responsible party) with respect to Personal Data submitted through the Services. Enrolla acts as the Data Processor, processing Personal Data solely on Customer's behalf and in accordance with Customer's documented instructions. Each Party agrees to comply with Applicable Data Protection Laws in its respective role.

3. Scope and Purpose of Processing

Enrolla processes Personal Data solely to provide the Services in accordance with the Agreement, including:

  • Hosting and serving the Enrolla platform.
  • Managing user accounts and authentication.
  • Providing program recommendations and student engagement features.
  • Delivering student inquiries and lead data to Customer.
  • Providing support, communications, and platform improvements.

Enrolla does not sell Personal Data or use it for advertising, profiling, or purposes unrelated to the Services.

4. FERPA Acknowledgment

Where Customer is a U.S. educational institution subject to FERPA, this section applies:

School Official Designation: To the extent Enrolla processes education records (as defined under FERPA) on behalf of Customer, Enrolla agrees to act as a "school official" with a "legitimate educational interest" as those terms are used under FERPA, solely for the purpose of providing the Services. Enrolla shall:

  • Use education records only for the purposes for which they were disclosed;
  • Not re-disclose education records to third parties without Customer's prior written authorization, except as required by law or to Subprocessors bound by FERPA-equivalent obligations;
  • Comply with FERPA's requirements applicable to school officials acting on behalf of an educational institution.

Customer's Obligations: Customer represents and warrants that its disclosure of education records to Enrolla is permitted under FERPA, including under the school official exception or another applicable exception. Customer remains the FERPA-responsible institution and retains control over education records at all times.

Conflicts: In any conflict between this Section 4 and another provision of this DPA regarding education records, this Section 4 controls.

5. Data Ownership and Use Restrictions

All Customer Data, including Student Data and College Data, processed through the Software remains the sole property of Customer. Enrolla:

  • Shall not sell, license, or disclose Customer Data to third parties except as permitted under this DPA.
  • Shall not use Customer Data for advertising, profiling, or any purpose unrelated to delivering the Services.
  • Shall use Student Data solely to provide program recommendations, deliver inquiries to Customer, support Customer's enrollment activities, and improve Software functionality.

6. Security Measures

Enrolla implements the following technical and organizational measures to protect Personal Data:

  • Encryption in transit using TLS 1.2 or higher.
  • Encryption at rest using AES-256.
  • Role-based access controls and audit logging.
  • Data segregation across tenants.
  • Annual security reviews and vulnerability assessments.
  • Employee confidentiality agreements and security training.

7. Subprocessors

Enrolla may engage Subprocessors to support delivery of the Services. A current list of Subprocessors is published at enrolla.com/legal/subprocessors. Enrolla will:

  • Ensure Subprocessors are bound by written agreements with data protection obligations at least as protective as this DPA.
  • Notify Customer of any material changes to its Subprocessor list with at least 10 days' prior written notice.
  • Remain liable for Subprocessor actions that cause a breach of this DPA.

8. International Data Transfers

Where Enrolla transfers Personal Data outside the jurisdiction in which it was collected (including between Canada and the United States, or to other countries where Subprocessors operate), Enrolla will ensure such transfers comply with Applicable Data Protection Laws and are subject to appropriate safeguards, which may include:

  • Reliance on an adequacy decision or finding by a relevant supervisory authority.
  • Standard Contractual Clauses (SCCs) as adopted by the European Commission, where EU/UK GDPR applies.
  • Canada's PIPEDA cross-border transfer requirements, including contractual protections with recipients.
  • Any other lawful transfer mechanism recognized under applicable law.

Upon written request, Enrolla will provide documentation of the safeguards in place for any specific transfer.

9. Security Incident Notification

In the event of a confirmed or reasonably suspected Security Incident involving Customer's Personal Data, Enrolla will:

  • Notify Customer without unreasonable delay and no later than 72 hours after becoming aware of the incident.
  • Provide available details of the incident, including its nature, scope, data affected, and mitigation steps taken.
  • Cooperate with Customer to meet applicable regulatory notification obligations.

Notification to Enrolla's own regulators or affected individuals, where legally required, remains Customer's responsibility as Data Controller.

10. Data Subject Rights

Where legally required, Enrolla will assist Customer in fulfilling requests from individuals exercising rights under Applicable Data Protection Laws, including rights of access, correction, deletion, portability, and objection. Customer is responsible for verifying requests and providing instructions to Enrolla.

11. Audit Rights

Upon reasonable written request and subject to confidentiality obligations, Enrolla will provide documentation or certifications to demonstrate compliance with this DPA. Customer may request a third-party audit (at its own expense) no more than once per calendar year, unless required by law or following a confirmed Security Incident.

12. Return or Deletion of Data

Upon termination of the Agreement, Enrolla will, at Customer's election, return or securely delete Customer's Personal Data within 30 days, unless retention is required by applicable law. Upon request, Enrolla will provide written confirmation of deletion.

13. CASL and Email Compliance

To the extent Enrolla sends commercial electronic messages on behalf of Customer, Enrolla will do so only in accordance with Customer's documented instructions and in compliance with CASL. Customer, as Data Controller, is responsible for ensuring that the contact data provided to Enrolla for such communications was collected with appropriate consent and that all applicable CASL obligations (including identification, unsubscribe mechanisms, and consent records) are satisfied.

14. Advertising Platforms

Enrolla uses advertising pixels and conversion tracking tools from Google Ads, Meta, and LinkedIn solely for marketing its own platform to prospective business customers on enrolla.com. Enrolla does not share Student Data or Customer Data with these advertising platforms. These platforms act as independent data controllers for their own purposes and are not Subprocessors under this DPA.

15. Miscellaneous

This DPA is governed by the laws specified in the Agreement. In case of conflict between this DPA and the Agreement on data protection matters, this DPA controls. This DPA does not modify the limitation of liability provisions of the Agreement.

16. Contact

Snow Growth Marketing Inc.

7017 9th Line, Thornton, Ontario, Canada, L0L 2N0

Email: privacy@enrolla.com

ProductsServicesPricingAboutContact

© 2025 Enrolla. All rights reserved.

Book a Demo

See how our platform works and get your questions answered — no pressure, no commitments. 15–30 min personalized walkthrough

This is an error message.

Thank you. Your demo request has been received!

Thanks for reaching out. We’ll connect with you within one business day to book your demo. In the meantime, explore our platform and keep an eye on your inbox for next steps.

OK
Oops! Something went wrong while submitting the form.