Transfer of Personal Data to the U.S.

At ClassDojo, we take our commitment to your privacy and data protection seriously, that's why every ClassDojo product is designed with privacy and security first. We believe you should have meaningful control over your data and know exactly how it is used. As a US-based company, we store user data in the United States. Certain jurisdictions require specific legal requirements to be met in order to transfer this personal data from your location to the United States. When personal data is transferred outside of the European Economic Area (“EEA") or the United Kingdom (“UK”), the General Data Protection Regulation, including as implemented or adopted under the laws of the UK (“GDPR”), requires specific conditions to be fulfilled to ensure an equivalent level of protection for this data. Similar requirements are in place under the laws of Switzerland.

How can Personal Data from the EEA, the UK or Switzerland be Lawfully Transferred to the U.S.?

International transfers of personal data are regulated under the GDPR to ensure the continued protection of personal data once outside of the EEA and the UK. To ensure this, in the EEA and the UK, the GDPR sets forth the circumstances in which international transfers may take place. Swiss law takes a similar approach. These circumstances include:

• Where an adequacy decision has been adopted.  In the EEA, adequacy decisions are adopted by the EU Commission, which decides whether the recipient country ensures an adequate level of protection for personal data. A list of adequacy decisions is available here. In the UK, the Government similarly adopts adequacy regulations. This includes the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (collectively, the “DPF Programs”) are each examples of adequacy decisions; or

• Where a derogation or transfer mechanism is available:
  • Article 49 derogations (such as consent); or
  • Appropriate safeguards (i.e. transfer mechanism) which can be outlined in a legally binding instrument, such as a contract between two parties. The following have been determined to be valid transfer mechanisms under this approach:
    • The European Commission’s Standard Contractual Clauses (“SCCs”).
    • The UK Information Commissioner’s International Data Transfer Agreement or Addendum to the SCCs (“UK Addendum”).

What Mechanism under the GDPR does ClassDojo use to Transfer Personal Data to the U.S.? 

ClassDojo relies on the DPF Programs when transferring data either as a processor or controller (as that term is defined under the GDPR).

General Data Protection Regulations (GDPR)

Learn more about ClassDojo's compliance with GDPR here. To make GDPR-related data access, correction, deletion, or data download request(s), use this form. 

Data Privacy Framework

ClassDojo complies with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce (collectively the “DPF Programs”). ClassDojo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension.  ClassDojo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  To learn more about the DPF Programs, and to view our certification, please visit https://www.dataprivacyframework.gov/.

ClassDojo is responsible for the processing of personal data it receives under the DPF Programs, and subsequently transfers to third-parties acting as an agent on its behalf. ClassDojo complies with the DPF Principles for all onward transfers of personal information from the EU, UK and Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the DPF Programs, ClassDojo is subject to the jurisdiction and regulatory enforcement powers of the U.S. Federal Trade Commission and other authorized statutory bodies. In certain situations, ClassDojo may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

ClassDojo commits to resolve DPF Principles-related complaints about the collection and use of your personal data.  EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF Programs should contact us at privacy@clasdojo.com or using the form here. In compliance with the EU-U.S. DPF, the UK Extension and the Swiss-U.S. DPF, ClassDojo commits to refer unresolved complaints concerning our handling of personal data received in reliance on the DPF Programs to Truste, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit here for more information or to file a complaint.  Truste's services are provided at no cost to you.

Under certain conditions, more fully described on the DPF Programs website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Standard Contractual Clauses:

The European Commission’s SCCs are legal contracts entered into between parties that are transferring personal data outside of the EEA into the U.S.  The SCCs may also be used for transfers of personal data outside of Switzerland.

The initial SCCs were drafted and approved by the European Commission in 2010.  Following the Schrems II decision, the European Commission published a new draft of the SCCs to incorporate the requirements of GDPR and the Schrems II decision with the final version published on June 4, 2021 (the “New SCCs”). ClassDojo is using the DPF Programs as the transfer mechanism and will no longer rely on the New SCCs.

 Existing Contracts:

• UK Schools: Post March 21, 2024, all prior use of the SCCs are no longer allowed as a valid transfer mechanism. However, the International Data Processing Addendum you previously entered into to provide required GDPR protections and meet GDPR requirements (separate from the transfer mechanism) still remains valid. Additionally, we now rely on the UK Extension for the transfer mechanism.  Alternatively, you may also choose to enter into a new International Data Processing Addendum to update your contracts with ClassDojo.  Please see the “New Contracts” section below for the process to do this.
• EEA or Switzerland-based schools:  For EEA-based schools, post December 27, 2022, all prior use of the SCCs is no longer allowed as a valid transfer mechanism. However, the International  Data Processing Addendum you previously entered into to provide required GDPR protections and meet GDPR requirements (separate from the transfer mechanism) still remains valid. Additionally, we now rely on the EU-U.S. DPF for the transfer mechanism.  For any school based in Switzerland, post September 15, 2024, all prior use of the SCCs is no longer allowed as a valid transfer mechanism. Additionally, we now rely on the Swiss-U.S. DPF for the transfer mechanism.  Alternatively, for any EEA or Switzerland based school, you may also choose to enter into a new International Data Processing Addendum to update your contracts with ClassDojo.  Please see the “New Contracts” section below for the process to do this.

New Contracts:

• UK schools:  ClassDojo provides our International Data Processing Addendum and relies on the UK Extension for the transfer mechanism and will no longer rely on the UK Addendum as the transfer mechanism.  If you would like to enter into ClassDojo’s International Data Processing Addendum, please email privacy@classdojo.com.
• EEA-based schools: ClassDojo provides our International Data Processing Addendum and relies on the EU-U.S. DPF for the transfer mechanism and will no longer rely on the New SCCs as the transfer mechanism. If you would like to reenter into ClassDojo's International  Data Processing Addendum, please email privacy@classdojo.com.
• Switzerland-based schools: ClassDojo provides our International Data Processing Addendum and relies on the Swiss-U.S. DPF for the transfer mechanism and will no longer rely on the New SCCs as the transfer mechanism. If you want to enter into ClassDojo's International Data Processing Addendum, please email privacy@classdojo.com.

Additional Resources:

• ClassDojo's Trust Center
• ClassDojo's Privacy Policy
• ClassDojo's Information Transparency page
• ClassDojo's Security Overview