International Data Privacy Addendum

Effective Date: February 1, 2026

Last Updated: January 29, 2026

Introduction

Following the acquisition of specific business units from Anthology (including Lifecycle Engagement and Student Success solutions), Encoura now processes data on a global scale. This International Data Privacy Addendum supplements our general Privacy Policy and applies specifically to our clients and users located outside of the United States, including those in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland.

1. International Data Transfers and Residency

Encoura operates a global infrastructure with distinct data residency commitments depending on the product line.

Data Residency (EU Storage)

For our clients utilizing the Lifecycle Engagement and Student Success solutions acquired from Anthology:

  • Data collected and stored in the European Union (EU) will remain hosted in the EU.
  • We commit to maintaining this data within the EEA/UK data centers as originally contracted, ensuring that the primary storage of your personal data remains within your region of origin.

Legal Basis for Transfer (Access & Processing)

While the primary data storage remains in the EU, personal data is accessed from (and therefore legally "transferred to") the United States and other locations for support, maintenance, and sub-processor activities. To ensure this access is protected, Encoura relies on the following legal mechanisms:

  • Standard Contractual Clauses (SCCs): We utilize the European Commission’s 2021 Standard Contractual Clauses (specifically the Processor-to-Processor and Controller-to-Processor modules, as applicable). These clauses are incorporated into Encoura’s intra-group data transfer agreements to legalize remote access from our US headquarters.
  • UK International Data Transfer Addendum: For remote access to data originating from the UK, we adhere to the UK Addendum to the EU Standard Contractual Clauses.
  • Data Privacy Framework (Alignment): While Encoura is currently in the process of finalizing its certification under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we currently align our internal practices with the DPF Principles regarding notice, choice, accountability for onward transfer, security, data integrity, purpose limitation, access, and recourse.

2. Hosting Approach and Client Support Model

Our hosting strategy ensures data residency compliance while enabling global support.

  • EU Data Centers: As noted above, the Lifecycle Engagement and Student Success products for our European clients are hosted in data centers located within the European Union.
  • US Data Centers: Legacy Encoura products and specific Anthology components for non-EU clients continue to be hosted in the United States.
  • Global Support Access: Access from outside the EU hosting location is necessary for client support, product maintenance purposes, and additional functionalities. Product teams in our US and global locations may have remote access to EU environments containing client data to maintain the products (e.g., reviewing performance issues) and to provide specialist expertise for client support cases.
  • Vendor Access: Additionally, our vendors (third-party sub-processors) may require access to client data for them to provide the contracted services. Any access takes place only on a strictly need-to-know basis.

Such processing of personal information outside the usual hosting location only takes place in accordance with applicable data privacy laws & regulations and our contractual permissions and commitments.

3. Protecting Transferred Data

To ensure that client/student data receives a high level of protection when it is accessed from outside the hosting locations, we apply a GDPR-level of standards globally to all of our departments and teams.

Security Measures include:

  • Encryption in Transit: When data is transferred via the internet (including remote access sessions), it is encrypted using industry-standard protocols (TLS 1.2+).
  • Encryption at Rest: Available for all key products.
  • Least-Privilege Access: Employees only have access to the personal information they need for the performance of their role.
  • Multi-Factor Authentication (MFA): Required for all employees accessing the IT infrastructure and client data.
  • Compliance Certifications: We maintain rigorous security standards, including SOC 2 Type II and TX-RAMP certifications, demonstrating our commitment to data security and compliance.
  • Detailed Contractual Commitments: We maintain strict agreements regarding the level of security controls with all downstream vendors.

4. Our Data Privacy Commitments

  • Our clients own their data: We understand that personal information of our clients’ users is only entrusted to us. We have a responsibility to protect it vigilantly and only use it in accordance with all applicable data privacy laws and as agreed with our clients.
  • We do not sell student data: We do not sell student personal information collected via our institutional success tools to third parties or data brokers, nor do we disclose this specific student personal information for targeted advertising purposes.
  • Privacy by Design: We help our clients with data-driven insights and personalization. Our privacy team works closely with our product teams on these innovations, and we apply a "Privacy by Design" approach to all new feature development.

5. Responsibility for Vendors

Encoura accepts responsibility for the data privacy practices of our vendors. Our vendor risk management processes ensure that:

  • We have robust contracts that include a Data Processing Addendum (DPA) in place with our sub-processors, imposing materially equivalent provisions to those we have in place with our clients.
  • New vendors with access to personal information must complete a vendor security and data privacy due diligence questionnaire, allowing us to assess their standards.
  • Vendors with access to Encoura-managed systems are required to follow Encoura’s internal access control and identity authorization policies.

6. Contact Us

If you have questions regarding international data transfers or our reliance on Standard Contractual Clauses, please contact our Data Privacy Officer:

Email: privacy@encoura.org