D2L Master Terms and Conditions Agreement, dated as of October 31, 2019 by and between American Public University System, Inc. and D2L Ltd

Terms and Conditions (“Terms and Conditions”), along with the exhibits attached hereto (including the D2L Data Processing Addendum attached hereto as Exhibit A (“DPA”)) (each an “Exhibit”) and any order form or statement of work, or combination thereof, signed by D2L Ltd. (“D2L”) and American Public University System, Inc. (“Client”) that accompany or reference these Terms and Conditions (each an “Order”), form the agreement (“Agreement”) between D2L and the Client. This Agreement is entered into, and made effective as of, October 31, 2019 (“Effective Date”), and D2L and the Client agree to be legally bound by this Agreement.

(a)D2L will provide the Services set out in the Order (and all related incidental services, functions, and responsibilities not specifically set forth on the Order but that are nonetheless reasonably required for the proper performance and provision of the services set out in the Order) in accordance with this Agreement. “Services” means (a) the applications (including the software identified in the Order (“Software”) and Enhancements and D2L-developed Extensions (as defined in Section 7) thereto); (b) all Work Product (as defined in Section S) made available to Client, and/or (c) any other materials, software, duties, functions, tasks, or services that D2L provides, facilitates, makes available or performs under this Agreement and includes, without limitation, any professional services (including, without limitation, consulting, training, implementation, installation, support, integration, and customization services) set forth in an Order (any such professional services, “Professional Services”).

(b)D2L shall maintain appropriate administrative, physical and technical safeguards to assure the security, privacy and integrity of the Services and Client Data (as defined in Section 7 below) throughout the Term that are at least consistent with then-current industry standards and that include compliance with, and maintenance of certifications of compliance with, ISO 27001, ISO 27018, and SSAE 16 SOC 1 and SOC 2 and all other security requirements as set forth in the Agreement (collectively, the “Security Commitments”). [***]

(c)Client acknowledges that Client’s use of Services will involve transmission over the Internet and other networks, only part of which may be owned or controlled by D2L or by its Subcontractors. D2L is not responsible for any Client Data which is delayed, lost, altered, intercepted or stored during the transmission of any data whatsoever across networks not owned or controlled by D2L or by its Subcontractors, subject to D2L’s and its Subcontractors’ compliance with the terms and conditions of this Agreement.

(d)At all times the Services shall, at a minimum, have the features, functionality, and capabilities described in the portions of the “D2L Proposal to American Public University System Request for Confirmation of Discovery Findings Momentum Delivery System” dated April 18, 2019 (“RFP Response”) included on Exhibit I. In the event of any conflict between the RFP Response and any other terms of the Agreement, the terms of the Agreement shall control.

(a)Upon the start date listed in the relevant Order, D2L shall permit Client and Authorized Users (as hereinafter defined) to access and use the software Services specified in an Order in a non-exclusive, non-transferable, time-limited (i.e., revoked upon termination) manner as set forth in the Order during the term specified in the Order.

(b)“Authorized Users” means students, faculty, administrators, personnel, and agents of Client Entities (as hereinafter defined) who Client authorizes to use or access the software Services under this Agreement. For the avoidance of doubt, Authorized Users includes (a) users who use the Services as learners (including students as well as faculty, administrators, personnel, and agents who use the Services for purposes of continuing education, training, professional development, etc.), (b) users who use the Services for teaching and providing instruction, (c) users who use the Services for IT support and administration, and (d) users who use the Services for receiving or providing training. “Client Entities” means Client, Client’s parent company and its current and future affiliates, and any

Client Customer identified in an Order. “Client Customers” means third party educational institutions, organizations, and business entities that receive online program management services or similar services from Client [***].

(c)Except for Client Entities, Client Customers, and Approved Third Parties (as such term is defined in Section 7), no third party, other educational institution, or business group or entity may make use of, or obtain access to, the Services without a separate agreement. Client Entities may use or access the Services only for their benefit and/or the benefit of Authorized Users and for internal business purposes.

(d)D2L allocates up to 500MB of storage space per each Authorized User and may charge additional fees of no more than S5.00USD per GB per year in excess of the Aggregate Amount of Storage Space (where “Aggregate Amount of Storage Space” means the number of Authorized Users x 500MB) D2L may review Client’s usage of the storage space no more than once a year for the purpose of ensuring the space is being used by Authorized Users in manner consistent with the limits set out above in this Section and customary market practices. If such review reveals that Client’s use of storage space exceeds the storage and/or is not customary, D2L and Client shall discuss such non-customary use and may mutually agree to rates for additional amounts of storage space, such rates to be no greater than then-current rates for storage as set out above in this Section.

(e)For the avoidance of doubt, if requested by Client (and provided always that Professional Services fees required for setting up each such separate instance are purchased by Client or a Client Entity if applicable), each Client Entity shall have its own instance of the Software with separate branding for such Client Entity (“Client Entity Branding”) and separate data (“Client Entity Data”) and, unless otherwise mutually agreed to by the parties, D2L shall not comingle (as between separate instances) the Client Entity Data of Client Entities or make Client Entity Data of one Client Entity accessible to any other Client Entity (other than Client); however, for purposes of this Agreement, references to “Client Data” shall include all Client Entity Data and references to “Client Branding” shall include Client Entity Branding. For clarity, an “instance” represents a new implementation for a Client Entity that requires separate, segregated data.

3.Representations and Warranties. D2L represents and warrants that (i) the Services will achieve in all material respects, the functionality described in the applicable documentation and otherwise operate in accordance with the applicable documentation, tutorials, specifications, and this Agreement; [***] (iv) D2L owns and/or has the necessary proprietary and other intellectual property rights to provide the Services; (v) D2L has the requisite and necessary experience and expertise, and all necessary licenses, permits, authorizations, facilities, and personnel, to perform the Services; (vi) D2L shall provide and maintain the Services throughout the Term; (vii) other than updates to and replacements of existing Services that result in substantially the same functionality as existing Services, D2L has no present plan or intent to discontinue the availability of any Services and will give Client prompt written notice of any such future plan or intent; (viii) [***]; (ix) the Services will be performed in a professional, diligent, and workmanlike manner that meets or exceeds industry standards and with at least the same level of care and skill as D2L provides to similarly-situated customers; and (x) D2L has implemented, and shall maintain throughout the Term, the Security Commitments. Except as set forth in this Agreement, the Services, Client’s Systems, and Client Data are provided “as-is”, and neither party makes any warranties, representations, or guarantees, express or implied, oral or written, with respect to the Services, Client’s Systems, or the Client Data. D2L does not warrant that Services are error-free and Client does not warrant that the Client’s Systems or the Client Data is error-free. Each party specifically disclaims any implied warranties of merchantability, fitness for a particular purpose, or arising from a course of performance, dealing, or usage of trade. There is no such thing as perfect security, and D2L cannot guarantee or warrant the security of any data that D2L receives and stores beyond its obligation to comply with the Security Commitments and this Agreement.

4.Confidentiality. “Confidential Information” means information that the disclosing party would reasonably expect to be kept confidential, including, without limitation, this Agreement, and any technical, business, marketing, proprietary, trade secret, personal or other information in any form (e.g., oral, written, electronic). Client’s Confidential information includes, but is not limited to, Client Data. A party receiving Confidential Information (the “receiving party”) of the other party (the “disclosing party”) agrees to (i) hold it in strictest confidence and not disclose it to any third party without the disclosing party’s written consent; (ii) protect it from

unauthorized disclosure with the same standard of care used to protect its own confidential information of a similar nature but not less than a reasonable standard of care; (iii) restrict disclosure solely to those of the receiving party’s officers, employees, agents, attorneys, accountants, consultants, and advisors who have a need to know and who are bound by terms substantially similar to the terms set forth herein; and (iv) use it only in connection with providing and receiving the Services and otherwise in connection with its performance under this Agreement. The receiving party shall not be bound by the confidentiality obligations in this Section 4 (i) if the Confidential Information of the disclosing party is required to be disclosed pursuant to court or regulatory order, provided that, where feasible, the receiving party provides the disclosing party with prompt notice of such order so that the disclosing party is given a reasonable opportunity to seek a protective order or pursue other remedies to protect the confidentiality of the Confidential Information (and if such protective order or other remedy is not obtained, the receiving party only discloses that portion of the Confidential Information that it is legally required to disclose and, in connection with the disclosing party, uses all reasonable efforts to assure that the disclosed Confidential Information is maintained in confidence by the party to whom it is provided); (ii) with respect to information that was already rightfully in the receiving party’s possession before the commencement of negotiations that led to this Agreement or was independently developed by the receiving party without reference to or use of the disclosing party’s Confidential Information; (iii) with respect to information that is learned from a third party under no apparent duty of confidentiality and is not otherwise protected under law; or (iv) with respect to Confidential information that becomes part of the public domain other than as a result of a breach of this section and is not otherwise protected under law; provided that (iii) does not apply to information learned from Authorized Users. If the receiving party breaches the obligations in this Section 4, monetary damages would not adequately compensate the disclosing party for the harm it would suffer and the disclosing party shall be entitled to seek injunctive relief in addition to other available legal and equitable remedies. As set forth in Section 24(xiii), this section supersedes the Initial NDA (as such term is defined in Section 24(xiii)). All Confidential Information disclosed under the initial NDA shall be deemed to have been disclosed hereunder. Such obligation of confidentiality shall extend beyond expiration or termination of the Agreement for as long as D2L Processes (as such term is defined in the DPA), or otherwise has access to, Confidential Information.

5.Personal Data. D2L shall not collect, use, disclose, or otherwise make available any Personal Data of Authorized Users of the Services except as permitted under this Agreement and in accordance with the DPA. “Personal Data” means any information that (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be finked, directly or indirectly, with an identified or identifiable individual or, to the extent the CCPA (as defined in the DPA) applies, a particular household; or (ii) is governed, regulated, or protected by one or more relevant Data Protection Laws.

6.Acceptance Testing. Upon the delivery of each deliverable under an Order containing a statement of work for Professional Services resulting in the production of courseware, reports or other deliverables, Client shall have ten (10) days (or such other period specified in the Order with respect to a specific deliverable) (“Acceptance Testing Period”) to inspect and test such deliverable to determine whether it in all material respects (i) conforms to its documentation and otherwise complies with this Agreement and (ii) otherwise satisfies all acceptance criteria specified in the Order (collectively, (i) and (ii), “Acceptance Criteria”). In the event that [***].

(a)D2L or its licensors retain sole and exclusive ownership of and all intellectual property rights (“IP”) in the Services, which include: the Software (and Enhancements and D2L-developed Extensions (other than Client-Funded Extensions) (as hereinafter defined) thereto), tools, methodologies, questionnaires, responses (other than Work Product), proprietary research, data (other than Client Data), requirements, and specifications. Notwithstanding anything to the contrary herein, Client-Funded Extensions may include (a) pre-existing IP (i.e., existing prior the Effective Date); and/or (b) independently-developed IP (i.e., developed without use of Client’s Confidential Information or resources) belonging to D2L or its licensors, and nothing herein shall operate to transfer ownership of such pre-existing or independently-developed IP, except that Client is granted the licenses to use such IP as set out in this Agreement

(b)“Enhancements” means configurations, customizations, modifications, and enhancements to the Software; provided, however, Extensions (as hereinafter defined) are not Enhancements. “Extensions” means plug-ins, add-ons, and other extensions that integrate with the Software and/or other software Services. An Extension may be developed by Client, a third party, or D2L (any Extension developed by D2L is a “D2L-developed Extension”). Subject to subsection 7(i) above, any D2L-developed Extension that is expressly agreed in such statement of work is to be owned by Client (a “Client-Funded Extension”) shall be deemed Work Product that is owned by Client as set forth in Section 8.

(c)IP is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. Each party reserves its rights and interests in connection with its IP, except as expressly granted to the other party pursuant to this Agreement. Except for the usage rights granted in Section 2, D2L does not transfer any title to or interest in its IP in the Services.

(d)The relationship of the parties under this Agreement is non-exclusive; subject to the confidentiality obligations under Section 4, (a) D2L may render services to others and develop work products that are competitive with, or functionally comparable to, the Services and (b) Client may utilize other service providers that provide services and work products that are competitive with, or functionally comparable to, the Services.

(e)[***].

(f)[***].

(vii)    D2L shall not be restricted in its use of ideas, concepts, know-how, data and techniques acquired or learned in the course of performing the Services, provided that D2L shall not use or disclose any of Client’s Confidential Information, including any Personal Data, for any purpose other than providing the Services to Client in accordance with this Agreement, and Client shall not be restricted in its use of ideas, concepts, know-how, data and techniques acquired or learned in the course of using the Services subject to Client’s obligations under Sections 4 or 7 with respect to D2L’s Confidential Information and IP. For the avoidance of doubt, nothing in this Section 7 affects Client’s ownership of Client Data (as defined below), which is the IP of Client and is subject to Section 8.

(a)As between Client and D2L, Client owns and retains all right, title and interest to all information, data, results, curriculums, content, or other materials uploaded to or through the Services by any Client Entity or an Authorized User or otherwise provided by a Client Entity or an Authorized User to D2L (including Personal Data that may be processed, stored, or transmitted in the course of using the Services) (collectively, “Client Data”). Additionally, as between Client and D2L, Client owns and retains all right, title and interest to (a) Student Records, (b) business processes and use cases of Client Entities, (c) usage data generated in connection with a Client Entity’s and/or Authorized Users’ use of the Services as may be made available to Client through its use of the Services; (d) data, reports, information, and other outputs created by or resulting from a Client Entity’s and/or Authorized Users’ use of the Services as may be made available to Client; and (e), should the parties expressly agree as such in a statement of work, D2L-developed deliverables (including documents, plans, recommendations, reports, designs, analysis, and courseware that D2L develops for a Client Entity) and the IP in such deliverables (collectively, (b), (c), (d), and (e), “Work Product”). (For the avoidance of doubt, notwithstanding the foregoing, D2L acknowledges and agrees that the cases, data, reports, information, and other outputs covered by (a) - (d) are Client’s Confidential Information regardless of whether they are “made available to Client.”) Work Product does not include the Software, Enhancements, D2L-developed Extensions other than Client-Funded Extensions, or any pre-existing (i.e., existing prior the Effective Date) or, with respect to (e), independently- developed IP (i.e., developed without use of Client’s Confidential Information or resources) belonging to D2L or its licensors. D2L hereby assigns to Client all right, title, and interest in and to all Work Product. Except as expressly set out in Section 7 and Section 8{i) above (with respect to D2L’s ownership of pre-existing or independently-developed IP) or in Section 20 below (with respect to D2L’s ownership of algorithm, computational, or cumulative results of Analysis), D2L makes no claim of title or ownership to or in Client Data or Work Product. Client permits D2L to use Client Data and Work Product to the extent required to provide and perform the Services under this Agreement. To the extent that D2L incorporates or

includes any pre-existing or independently-developed IP in any Work Product, and Client is not otherwise granted a license to use such IP under this Agreement, D2L hereby grants Client a perpetual, non-revocable, non-exclusive, sublicensable, transferable, worldwide, royalty-free license to use such IP in connection with use of the Work Product.

(b)D2L will comply with Client’s branding guidelines where Client engages D2L to create a Client-branded offering of Services, and Client grants D2L non-exclusive, worldwide permission to use its logo, trademarks, and other branding (collectively, “Client Branding”) for the sole purpose of creating, distributing and maintaining for Client a Client-branded version of Services; provided that all uses of Client Branding shall require the prior written approval of Client. Any and all goodwill in Client Branding arising from D2L’s use of the Client Branding shall inure solely to the benefit of Client, and Client owns and retains all right, title, and interest to the Client Branding. D2L will not use Client Branding for any other purpose except as set out in this Agreement without the express written consent of Client.

(c)D2L grants Client non-exclusive, worldwide permission to use its logo, trademarks, and other branding (collectively, “D2L Branding”) for uses approved by D2L, which may include joint white papers and/or conference presentations.

(d)D2L shall not display or include any D2L Branding on any portion of the Services that are visible to Authorized Users (including, without limitation, on any Software interfaces) without the prior written consent of Client, and, where such consent is provided, only in the form and manner approved by Client. Client agrees that D2L Branding may be included in training videos and/or documentation without requiring Client’s prior written consent. In the event any D2L Branding is used on a mobile application, D2L shall provide prior written notice to Client before making such mobile application accessible to Authorized Users, and, if Client consents to such use of D2L Branding and D2L later makes such mobile application available to its other clients without D2L Branding, then D2L shall provide notice to Client of such de-branding and, if requested by Client, D2L shall also remove the D2L Branding from the mobile applications accessible to Authorized Users.

(e)The parties shall mutually agree in writing to the URLs used for Authorized Users to access the Software and any other URLs that are presented to Authorized Users through links in the Software.

(f)If Client provides D2L with materials owned or controlled by a Client Entity or with use of, or access to, such materials for D2L to use in connection with this Agreement, Client grants to D2L all rights and licenses that are necessary for D2L to use such materials for purposes of fulfilling its obligations hereunder provided that D2L uses such materials only as directed by Client and complies with any restrictions communicated by Client to D2L regarding its use of such materials.

(g)Any default in D2L’s obligations under this Section 8 may cause irreparable harm to Client. If D2L takes or threatens any action that may infringe on Client’s IP rights, Client may seek injunctive or other equitable relief in addition to any damages to which Client may be entitled,

9.Restrictions. Except as permitted by this Agreement, Client shall not (i) attempt to decompile, disassemble, modify the source code of, or reverse engineer the Services; (ii) use, reproduce, transmit, modify, adapt or translate the Services; (iii) rent, lease, license, transfer, assign, sell or otherwise provide access to the Services on a temporary or permanent basis; (iv) use or cause or allow a third party to use the Services in any way to develop competing products or services; or (v) alter, remove or cover proprietary notices in or on the Services. Any default in Client’s obligations under this section may cause irreparable harm to D2L. If Client takes or threatens any action that may infringe on D2L’s IP rights, D2L may seek injunctive or other equitable relief in addition to any damages to which D2L may be entitled.

(a)Throughout the Term, D2L shall, at a minimum, provide the support Services set forth at https://www.d2l.com/legal/d2l-support-schedule/ (“D2L Support Schedule”) for all Orders. The version of the D2L

Support Schedule in effect as of the Effective Date is attached hereto as Exhibit D and incorporated herein by reference. The D2L Support Schedule may be updated from time-to-time by D2L; however, [***].

(b)[***]

(c)[***].

(d)[***].

11.Service Levels. Throughout the Term, D2L shall comply with the commitments set forth on the Service Level Addendum (“SLA”) attached hereto as Exhibit E, including by (i) using reasonable commercial efforts to ensure that its software Services meet the Availability Commitment set forth in Exhibit E and (ii) providing credit to Client for downtime as set forth in Exhibit E.

12.Business Continuity; Disaster Recovery. Throughout the Term, D2L shall maintain back-up, redundancy, and disaster recovery processes/procedures for the software Services that are consistent with reasonable industry standards. Such processes/procedures shall include [***].

13.Data Protections and Security. D2L acknowledges and agrees that the DPA applies to the Services and D2L’s performance under this Agreement, and D2L shall comply with its obligations.

(a)Client shall at all times be the sole entity responsible for its management and operations and the offering of its academic programs, and Client’s use of the Services shall at all times be subject to the direct oversight and approval of Client. As between Client and D2L, Client shall at all times be responsible for, without limitation: (a) setting admissions standards and criteria and determining the admissibility of individual students and transferability of previously earned credits; (b) setting enrollment capacity, and opening and staffing sufficient sections to accommodate such capacity; (c) maintaining student records; (d) determining financial aid eligibility and financial aid packaging and disbursement; and (e) performing all other customary university functions (e.g., registrar, bursar, and academic advising).

(b)If, and to the extent that, D2L receives or has access to student-related records and Personal Data contained in such records, including without limitation Personal Data integrated with the Services through Client’s or any Client Entity’s student information system (collectively, “Student Records”), D2L agrees, and will require any subcontractors, to maintain Student Records in accordance with the requirements of the Family Educational Rights and Privacy Act (20 O.S.C. § 1232g) and its implementing regulations (34 C.F.R. Pt. 99), as each may be amended from time to time (“FERPA”) and other applicable laws, rules, and regulations pertinent to Student Records. Without limiting the foregoing, D2L agrees that (a) it is subject to the requirements of 34 C.F.R. § 99.33(a) governing the use and redisclosure of Student Records; (b) it shall not maintain, use, disclose, or allow access to Student Records except as permitted by law and by this Agreement or as otherwise authorized by Client; and (c) to the extent that Client discloses Student Records to D2L under this Agreement, D2L personnel and any subcontractors shall use and shall have access to the information only for the purposes for which disclosure is made.

(c)D2L shall be responsible for ensuring that the Services in comply with (a) the Americans with Disabilities Act of 1990, 42 U.S.C. § 1210 et seq., Section 504 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794) and its implementing regulations set forth at Title 34, Code of Federal Regulations, Part 104, and all other state and federal laws, rules, and regulations regarding disabled access and prevention of discrimination against individuals with disabilities and (b) the standards and recommendations included in Web Content Accessibility Guidelines 2.1 Level AA as published by the Web Accessibility Initiative of the World Wide Web Consortium and any successor guidelines thereto (collectively, (a) and (b), “Accessibility Standards”). Prior to the Effective Date and at reasonable intervals consistent with industry practice during the Term, D2L shall make available to Client or provide Client with (1) a Voluntary Product Accessibility Template (VPAT) demonstrating the Services’ compliance with the Accessibility Standards, which shall be updated at least once every six (6) months, and (2) a copy of its multi-

year accessibility plan. The VPAT is available at https://www.d2l.com/accessibility/standards/, and the accessibility plan is available at https://www.d2l.com/legal/accessibility-plan/. D2L shall use commercially reasonable efforts to implement and follow its accessibility plan. Without limiting D2L’s obligations under this Section 14(iii), in the event that D2L or Client discovers any non-compliance with the foregoing laws, standards, recommendations or guidelines, D2L shall correct such non-compliance promptly at no cost to Client in a manner and timeframe commensurate with its severity. Upon advance notice and guidance, Client may request, and D2L agrees to make (consistent with Client’s notice and guidance), commercially reasonable efforts to implement remediations required to comply with the foregoing laws, standards, recommendations, or guidelines.

(d)[***].

(a)At all times while on Client’s premises or performing the obligations and providing the Services, D2L will observe and abide by all Client rules, policies, and procedures communicated in writing in advance to D2L, including, without limitation, those rules, policies, and procedures pertaining to the conduct, operations, health, safety and protection of persons and property, security, intellectual property, and information technology infrastructure.

(b)If Client provides D2L with access to its Systems (as defined in the DPA), then (a) any and all information accessed by D2L on Client’s Systems shall be considered Confidential Information of Client and shall be subject to the obligations of confidentiality set forth in this Agreement; (b) Client’s Systems shall be used by D2L solely to perform Services for Client and shall not be used for any purpose other than the legitimate business purposes of Client; (c) subject to Section 4.1 of the DPA, access to Client’s Systems shall be restricted to D2L and only those of D2L’s Subcontractors that D2L has requested access for and which Client has approved in writing (such approval not to be unreasonably withheld, delayed, or conditioned) who require access in order for D2L to fulfill D2L’s obligations under this Agreement and no access will be provided to any other individuals without the prior written consent of Client; and (d) D2L will ensure that its personnel and its Subcontractors’ personnel do not attempt to break, bypass, or circumvent Client’s physical or cyber security systems, or attempt to obtain access to any hardware, programs, or data beyond the scope of the access granted by Client Without limiting any of its other rights, Client reserves the right to terminate, restrict, and monitor the access and use of Client’s Systems by D2L and/or its Subcontractors, and to access, seize, copy, and disclose any information, data, or files developed, processed, transmitted, displayed, reproduced, or otherwise accessed in conjunction with such use.

(c)D2L will designate an individual in the Order to act as the primary point of contact between the parties with respect to the Services (“Program Manager”). The individual designated by D2L to serve as the Program Manager shall be subject to the prior approval of Client, and such approval shall not be unreasonably withheld, delayed, or conditioned. The Program Manager shall keep Client up-to-date on the performance of Services and promptly inform Client in writing in the event any concerns or issues arise. D2L shall use reasonable commercial efforts to keep the Program Manager dedicated to the performance of the Order until completion thereof. D2L may not (other than for reasons beyond its reasonable control or as required by law) reassign or replace the Program Manager without Client’s prior written consent (such consent not to be unreasonably withheld, delayed, or conditioned) and until a replacement approved by Client is assigned to such position. D2L shall ensure that any replacement of the Program Manager [***].

(d)Other than any third parties, vendors, service providers, or other subcontractors (collectively, “Subcontractors”) specifically referenced in this Agreement or in an Order, D2L shall not engage or use any Subcontractors in the performance of the Services or otherwise delegate or assign any of its obligations or duties under this Agreement without the prior written consent of Client (such consent not to be unreasonably withheld, delayed or conditioned). D2L shall use reasonable commercial efforts cause all of its Subcontractors to comply with all applicable laws, rules, and regulations and terms of this Agreement (including, without limitation, the confidentiality obligations in Section 4 and the Security Commitments). D2L shall be responsible and liable for the performance of its Subcontractors and all acts, errors, and omissions of its Subcontractors (and any act, error, or

omission of a Subcontractor that would be a breach of this Agreement if the act, error, or omission were by D2L shall be deemed a breach of this Agreement by D2L).

(e)Client Data shall be stored in the United States. All support and implementation Services shall be provided from either Canada, the United States, or Australia.

(f)D2L shall maintain accurate and complete records relating to its performance of the Services (including, without limitation, calculations of credits owed to Client under the SLA) as are customary under the circumstances and as Client may otherwise direct, including, but not limited to, complete and accurate records of time-tracking and travel expense documents relied on by D2L for purposes of preparing invoices to Client (“Books and Records”). D2L shall retain all Books and Records for [***] after the expiration or termination of this Agreement or such longer period specified by applicable regulatory requirements. Client (or its authorized representative) may, upon at least 30 days prior written notice no more than once per year and during normal business hours during the Term and for [***] and upon reasonable notice, inspect and audit all Books and Records relating to the following matters for the purpose of evaluating D2L’s compliance with this Agreement (a) invoicing, and (b) calculations of credits owed to Client under the SLA. Client (or its authorized representative) may copy any such information in connection with such audit. D2L shall promptly reimburse Client for the amount of any overpayment disclosed by an audit. The expenses of any such audit shall be [***].

(g)Simultaneously with the execution of these Terms and Conditions, D2L shall designate Client as a beneficiary under D2L’s arrangement with its independent third party escrow agent whereby, in the event of the occurrence of certain release conditions, D2L enables Client to obtain the source code for the Software and other software Services (and related documentation and materials) (“Escrow Arrangement”). Such arrangement is further described on Exhibit F.

(h)The software Services may be hosted in a multi-tenant environment, but Client shall be provided a dedicated instance of the software Services where all Client Data is held and in no event will D2L allow co-mingling of Client Data with any third-party data.

(i)Client shall determine in its sole discretion (a) which of its customers are Client Customers who receive Services under this Agreement and (b) which of its current and future affiliates are Client Entities who receive Services under this Agreement.

(j)D2L acknowledges that the performance of its material obligations under this Agreement is critical to the business and operations of Client, and accordingly, in the event of a good faith dispute or proceeding between D2L and Client, D2L will continue to perform its obligations under this Agreement in good faith throughout the course of the dispute as if such dispute had not arisen, unless and until this Agreement is terminated in accordance with its terms.

(k)The Software that Client can order under this Agreement includes, the Software described on Exhibit H, and any other software made generally available by D2L to its clients.

16.Indemnification. A “Third Party Claim” is defined as an action, proceeding, subpoena, investigation, demand, or claim by third parties. D2L shall indemnify, defend, and hold harmless Client Entities and their respective officers, directors, employees, Authorized Users, agents, and representatives from and against any and all losses, costs, expenses (including reasonable attorneys’ fees and expert costs), penalties, damages, judgments or settlements incurred because of a Third Party Claim based upon or arising out of (i) a material breach of [***]; or (vi) a claim that the Services or Client’s use of the Services is an infringement of copyright, patent, or trademark or otherwise infringes, violates, or misappropriates any IP rights of a third party (such Third Party Claims, an “Infringement Claim”). Client shall (I) promptly notify D2L in writing of any Third Party Claim (provided that the failure of Client to give prompt notice shall not affect Client’s rights to indemnification, except (and then only to the extent) that D2L’s ability to provide indemnification is impeded or frustrated or losses would have been avoided by prompt notice); (II) allow D2L to control the defense or settlement of the claim; and (III) cooperates in the defense or settlement of the Third Party Claim at the expense of D2L to the extent reasonably requested by D2L. At its own

expense, Client will at all times have the right to hire counsel of its own selection to provide its defense. D2L will not, absent the written consent of Client (such consent not to be unreasonably withheld, delayed, or conditioned), consent to the entry of any judgment or enter into any settlement that (A) provides for any relief other than the payment of monetary damages or repair or replacement of the Services for which D2L will be solely liable and (B) where the claimant or plaintiff does not release Client, its affiliates and its respective officers, directors, employees, agents, and representatives from all liability in respect thereof. This indemnity shall not apply to the extent that an Infringement Claim results from (1) Client’s unauthorized modification to the Services, (2) Client’s failure to install an update that would have avoided the Infringement Claim (provided that the update was provided at no additional cost and with written notice explaining that such update is necessary to avoid an Infringement Claim); (3) the combination of the Services or deliverables with third party products where the third party products are not provided under this Agreement (except where D2L knew, or reasonably should have known, Client would use such products with the Service or deliverables in the ordinary course); (4) D2L’s compliance with specifications furnished by Client (except where D2L knew, or reasonably should have known, such specifications would cause an Infringement Claim and D2L did not advise Client of such potential Infringement Claim); or (5) use of the Services or deliverables in a manner that is not in accordance with this Agreement or applicable law (provided that the Services and deliverables when used in accordance with this Agreement would not have risen an Infringement Claim). If an Infringement Claim arises, D2L may (x) substitute equivalent non-infringing Services; (y) modify the Services so that they no longer infringe but remain functionally equivalent; or (z) if neither (x) nor (y) is reasonably commercially feasible, terminate the applicable Orders and refund any unused pro-rated amounts to Client l (including prepaid amounts for costs of implementing and deploying the Services that the Client is no longer able to use). This section states the entire liability and obligation of D2L regarding Infringement Claims.

If (i) a third party claims that any part of the Client Data provided by Client infringes a copyright, patent or trademark or other IP right of a third party, (ii) there is a Third Party Claim arising out of Client’s use of the Services in material breach of Section 2 or Section 4 by Client, or for Disruptions as defined in Section 17(iv), or (iii) a governmental authority (“Authority”) assesses taxes, fines, or other charges against D2L as a result of that Authority’s determination that the Software provided under this Agreement is not software related to electronic data processing services, Client will defend, indemnify and hold harmless D2L and its officers, directors, employees, agents, and representatives against such claim at Client’s expense and pay all costs, expenses, damages, and reasonable attorney’s fees, provided that D2L: (x) promptly notifies Client in writing of any claim; (y) allows Client to control the defense or settlement of the claim; and (z) takes no action that, in Client’s reasonable judgment, impairs Client’s defense of the claim.

(a)[***].

(b)[***].

(c)[***].

(d)As between Client and D2L, Client is responsible for the Client Data and the content of its and Authorized Users’ transmissions, including Client Data, over D2L’s network. Client agrees that it shall not knowingly and intentionally cause a Disruption. A “Disruption” is defined as (1) use of the Service for illegal purposes or to infringe the intellectual property rights or privacy rights of a third party; (2) interfering with or disrupting the Services via (A) distribution of unsolicited communications or chain letters, defamatory, libelous or offending content or (B) propagation of computer worms and viruses; or (3) unauthorized use of the Service to enter, or attempt to enter, another system. If a Disruption occurs, D2L may, in its reasonable discretion, immediately remove the Disruption, disable the mode of communication causing the Disruption, and suspend the user account of the Authorized User that caused the Disruption; provided, however, D2L uses commercially reasonable efforts to provide notice to Client prior to taking such actions and, in any event, D2L provides written notice to Client immediately after taking any such actions, such notice describing the Disruption in reasonable detail and (ii) D2L does not suspend or disable any Authorized Users’ ability to access or use the Services unless doing so is required to remedy the Disruption and D2L has no reasonable alternative options that can remedy the Disruption and D2L uses

commercially reasonable efforts to minimize the effect of the suspension or disruption on other Authorized Users. As between Client and D2L, Client is liable to D2L for Third Party Claims arising from any Disruption to the extent (x) the Disruption was caused by an Authorized User and (y) the Disruption could not have been avoided by D2L’s compliance with the Security Commitments. For the avoidance of doubt, Client’s liability under this Section 17(iv) is subject to the limitations of liability in Sections 17(i)-(iii). D2L agrees that Client’s responsibilities and liability under this Section 17(iv) will not apply to the extent that any Disruption is caused by D2L’s breach of the Security Commitments.

(e)[***].

(a)As sole compensation for the Services, Client shall pay fees and Approved Expenses (as defined in Section 19) as specified in an Order. The fees set forth in any Order for the same or similar Services shall be consistent with the pricing set forth on Exhibit G unless the parties mutually agree to a different pricing model or rate table that is not included on Exhibit G, and, in such case, upon Client’s request, such new pricing model or rate table shall be added to Exhibit G. For the avoidance of doubt, the pricing and rate tables on Exhibit G apply to all Orders for all Client Entities and, for purposes of determining volume and discount tiers, usage by ail Client Entities shall be aggregated.

(b)Unless otherwise agreed in an Order, payment is due within 30 days from Client’s receipt of invoice unless Client disputes in good faith any amounts set forth in an invoice, in which case Client shall provide written notice of the disputed amounts within such 30 day period as well as payment of undisputed amounts. Overdue amounts not subject to a good faith dispute may incur interest charges at a rate of the lesser of 1.5% per month or the highest rate permitted by applicable law provided that D2L provides written notice to Client of the overdue amount and an additional 30 day period after receipt of such overdue notice to pay such overdue amount prior to incurring any interest charges.

(c)All fees stated in an Order shall be in U.S. Dollars, and Client shall pay invoices in U.S. Dollars. All references to dollars in this Agreement are U.S. Dollars.

(d)All fees stated in an Order do not include taxes of any kind. Client is responsible for payment of all applicable taxes resulting from this Agreement, except for taxes based on D2L’s net income. The parties acknowledge and agree that (a) the Services (other than Professional Services) provided under this Agreement are electronic data processing services and (b) the Software provided under this Agreement is software related to electronic data processing services.

(a)Optional products and Services set out on an Order and any other D2L offerings not on an Order may be subject to additional terms and conditions. Optional products may have associated support costs. If Client desires such optional products, services, or offerings, the parties may amend the Order in accordance with Section 24(vi) or enter into a new Order, and such additional terms and conditions shall not be binding on Client until D2L provides them in writing to Client and Client provides written acknowledgment that Client accepts such additional terms and conditions in writing.

(b)Unless otherwise set forth in an Order, travel and per diem expenses are not included in consulting or training fees and per diem and actual travel costs and will be billed to Client upon completion of such travel provided that Client shall only be responsible for such costs and expenses that are (a) pre-approved in writing by Client prior to being incurred, (b) passed through without mark-up, (c) supported by receipts and other documentation reasonably requested by Client, and (d) consistent with any other expense reimbursement guidelines provided by Client to D2L (“Approved Expenses”).

20.Analyses. Without expanding or creating any rights D2L has with respect to Client Data, to deliver, develop, test and improve the Services required under this Agreement and provide to its clients generally, D2L may collect, store, analyze, and interpret data elements acquired by, associated with, or provided in the use of the Services (“Analysis”). All individual data elements of the Analysis are property of their respective owners. D2L may disclose Analyses outside of its organization to third parties only for purposes of developing and marketing its products and services generally; provided that, if the Analysis uses any elements that are Client Data, (i) the Analysis combines the Client Data with data that D2L collects from its other clients and aggregates, (ii) the Analyses cannot reasonably be attributed to any Client Entity or any Authorized User, (iii) the Analysis does not include any data elements that are Client Data unless such data is deidentified under the CCPA and anonymized under the GDPR (each as defined in the DPA), and (iv) the Analyses cannot be identified as having originated from Client Data or from Client’s use of the Services. All algorithm, computational, or cumulative results of the Analysis, exclusive of Client Data and Personal Data (including Student Records), are wholly-owned by D2L. In the event Client wishes to access or generate any computational or cumulative results from Client Data using certain Services with analytic capabilities, additional fees may apply for such additional Services. D2L shall not attempt to re-identify, or take any action that would result in the re-identification of, any deidentified data.

(a)This Agreement shall continue until all Orders expire or are terminated as set out in this section (“Term”) or may be terminated as specified elsewhere in this Agreement. In the event that Client requests any Transition Services (as such term is defined below), the Term of this Agreement (and the applicable Orders) shall be deemed to continue until the end of the Transition Services Period (as such term is defined below) and all terms and conditions of this Agreement shall remain in full force and effect during the Transition Services Period.

(b)This Agreement or any Order may be terminated by the non-defaulting/breaching party if the other party materially or repeatedly (which in the aggregate is material) defaults in performing its duties or obligations under this Agreement or otherwise materially or repeatedly (which in the aggregate is material) breaches this Agreement unless the default or breach is cured within a period of thirty (30) days after written notice is given to the defaulting or breaching party.

(c)[***]

(d)At any time after the fourth anniversary of the Effective Date, this Agreement or any Order may be terminated by Client without cause by providing D2L with no less than one hundred and eighty (180) days written notice.

(e)This Agreement or any affected Order may be terminated by Client as set forth in Section 24(ii).

(f)This Agreement or any Order may be terminated by Client by providing D2L with no less than sixty (60) days written notice after the occurrence of (a) a Change of Control of D2L or (b) a Change of Control of Client. As used herein, a “Change of Control” means (1) the sale of all or substantially all of the assets of an entity or (2) a sale of equity interests, merger, consolidation, recapitalization or reorganization of an entity, unless securities representing more than fifty percent (50%) of the total voting power after such sale of equity interests, merger, consolidation, recapitalization or reorganization are beneficially owned, directly or indirectly, by the persons who beneficially owned the entity’s outstanding voting securities immediately prior to such transaction. For clarity, a Change of Control of D2L does not include either (x) assignment or transfer of this Agreement to a D2L affiliate provided that the affiliate is not a competitor of Client or (y) a restructuring of D2L pursuant to a public offering or similar occurrence. In the event of a Change of Control of Client and Client exercises its right to terminate under this Section 21 (vi) any time prior to the fourth anniversary of the Effective Date, then D2L will require payment of 50% of the unpaid fees that would be due for the remainder of such four year period as liquidated damages and not as a penalty.

(g)This Agreement or any Order may be terminated by Client by providing D2L with written notice if D2L (a) ceases to do business, (b) becomes insolvent, or (c) files or has filed against it a petition of bankruptcy and such

petition is not dismissed, vacated, or set aside within ninety (90) days from the commencement thereof. This Agreement or any Order may be terminated by D2L by providing APUS with written notice if APUS (a) ceases to do business, (b) becomes insolvent, or (c) files or has filed against it a petition of bankruptcy and such petition is not dismissed, vacated, or set aside within ninety (90) days from the commencement thereof.

(h)On termination, all rights and obligations of the parties cease except as set out in this section. Client shall return all copies of documentation for the Services to D2L within thirty (30) days of termination. Upon termination or expiration of this Agreement including, if applicable, the Transition Services Period, D2L will delete or destroy ail Client Data residing on D2L networks or otherwise in D2L’s possession in accordance with Section 2 of the DPA.

(i)In connection with the termination or expiration of each Order or this Agreement, D2L will, at Client’s option and as part of the Services, perform such transition services reasonably requested by Client on a time and materials basis in accordance with this Section 21 (ix) (“Transition Services”) for the transition of responsibility for performance of relevant services to Client and/or Client’s designees to ensure (a) no material disruption to Client’s ability to access and use Client Data, (b) no material degradation to the quality of the Services that D2L provides prior to being so transferred, and (c) that Authorized Users have uninterrupted access to the Services throughout the Transition Services Period and can continue to access and use the Services in the same manner as such Authorized Users could prior to the commencement of the Transition Services Period. “Transition Services Period” shall mean the period during which Transition Services are provided as determined by Client and agreed by D2L; provided, however, D2L agrees such Transition Services Period shall be of sufficient duration to enable Client to smoothly transition to a different system and solution (and, in any event, no less than six (6) months). Prior to termination, Client may use certain export tools within the Services to allow Client to export course content materials in a standard packaged format (such format which enables use of such materials without use of the Services or any other proprietary tools) as well as to export grades and other specific data elements in the Services. D2L shall assist Client with Client’s use of such tools as reasonably requested by Client for no additional charge; however, if Client requires additional support from D2L in connection with exporting data, D2L shall provide such Transition Services on a time and materials basis and the rates for such Transition Services shall be no greater than the rates specified in Appendix A to Exhibit G.

(j)[***].

(k)The Confidentiality, Intellectual Property, Indemnification, Liability Limitations, Payment and the General sections, sections applying to Client Data, the DPA, and all terms and provisions that logically should survive, shall survive termination of this Agreement, regardless of the reason for the termination.

22.Term of Orders; Renewal. The term for an Order shall be specified in the Order (“Order Term”). Unless Client notifies D2L of its intent to renew an Order at least sixty (60) days before the end of the then-current Order Term, an Order shall expire at the end of the Order Term. In the event Client notifies D2L of its desire to renew an Order, the Order (including all Services stated on the Order) along with any annual fees listed on such Order and in effect at the end of the Term shall be extended for additional one year period unless a different renewal period is agreed in writing between the parties.

23.Insurance. D2L shall maintain the following types and amounts of insurance coverage throughout the performance of its obligations under this Agreement: (i) commercial general liability insurance [***] complying with the coverage limits and in all other respects with applicable state workers’ compensation laws covering its employees and/or agents for work related injuries suffered by such employees and/or agents. D2L shall ensure that all D2L personnel involved in the performance of this Agreement, regardless of the duration of the assignment, is covered by the workers’ compensation insurance described herein. D2L shall maintain all of the foregoing policies of insurance with insurance carriers with an AM Best Rating of at least A-VII and shall, upon request, furnish Client with certificates of insurance evidencing their terms of coverage. Such certificates of insurance shall include Client

as an additional insured and shall provide for at least thirty (30) days’ written notice to Client prior to cancellation of any of the material terms of coverage of any such policy.

(a)All notices shall be in writing and delivered (a) by hand, (b) by registered mail, postage prepaid, return receipt requested, (c) reputable overnight delivery service, or (d) by email, provided that the sender retains proof of successful transmission. All notices shall be deemed effective upon receipt. Notices shall be sent to the names, addresses and numbers set out in the Order. All notices to D2L shall include a copy to Legal Department, D2L Corporation, 151 Charles Street W., Suite 400, Kitchener Ontario N2G 1H6, Canada, or, if sent by email, to Legal@D2L.com. All notices to Client shall include a copy to Legal Affairs, American Public University System, Inc., 111 West Congress Street, Charles Town, WV 25414, or, if sent by email, to Legal@apus.edu.

(b)If a party cannot perform any of its obligations under this Agreement because of natural disaster, actions of governmental bodies, strikes, lockouts, riots, acts of war, fires or similar events or circumstances, that, in each case, is outside that party’s control (“Force Majeure Event”), the party who cannot perform shall promptly notify the other in writing, and shall do everything reasonably possible to minimize the effect of such Force Majeure Event on its performance and to promptly resume performance. For the avoidance of doubt, a security breach, including a Data Breach (as defined in the DPA) is not a Force Majeure Event. Upon receipt of notice, all obligations under this Agreement are immediately suspended to the extent such obligations are affected by the Force Majeure Event for as long as the Force Majeure Event exist. Where the party affected by the Force Majeure Event is D2L and the Force Majeure Event continues for more than sixty (60) days, Client may immediately terminate this Agreement or any affected Order by delivering written notice of such termination to D2L.

(c)This Agreement is governed by the laws of Delaware, without regard to its conflict of laws principles.

(d)No single or partial exercise of any right or remedy under this Agreement will preclude any other or further exercise of any other right or remedy in this Agreement, or as provided at law or in equity. Except as otherwise provide herein, rights and remedies provided in this Agreement are cumulative and not exclusive of any right or remedy provided at taw or in equity.

(e)No party may assign, including by operation of law, this Agreement or its rights or obligations hereunder without the prior written consent of the other party, such consent not to be unreasonably withheld, provided, however, (a) Client may exercise any of its rights under this Agreement or perform any of its obligations hereunder through any of its affiliates and (b) either party may assign or otherwise transfer this Agreement, in whole or in part, to any of its affiliates. Any purported assignment contrary to the terms hereof shall be null, void, and of no force and effect. Without limiting the foregoing, each party shall provide written notice to the other party prior to any Change of Control.

(f)No amendment, modification, termination or waiver of any provision of this Agreement is effective unless it is in writing and signed by both parties. Any waiver or consent shall be effective only in the specific instance and purpose for which it was given.

(g)Terms or conditions that Client or D2L purports to include in an invoice, purchase order or similar instrument are void and of no force and effect. Furthermore, Client shall not be bound by any terms and conditions that are displayed or linked to the Services or otherwise provided electronically as part of the Services (including any terms on a third-party website or component of the Services). Except as mutually agreed to by Client and D2L in writing, the Services shall not include any terms of use, policies, or other agreements applicable to Client Entities or Authorized Users; however, with respect to mobile applications, Client acknowledges that third party application marketplaces (i.e., the Apple App Store and Google Play) may have their own standard terms of use associated with any downloads of mobile applications therefrom.

(h)If a court declares void or unenforceable any term of this Agreement, the remaining terms and provisions of this Agreement shall remain unimpaired and the invalid term shall be replaced by a valid term that comes closest to the intention underlying the invalid term.

(i)Neither party is an agent, employee, partner, joint venturer or legal representative of the other, and D2L is an independent contractor to Client.

(j)In the event of any conflict between the terms of these Terms and Conditions and the terms of any Order or any project plan, the terms in these Terms and Conditions shall control and supersede the terms of the Order or project plan (as applicable), unless the Order or project plan expressly refers to the specific section of the Terms and Conditions that it supersedes. This Agreement shall prevail over any terms of use, policies, or other agreements in D2L’s Services.

(k)The section and subsection headings contained in this Agreement are inserted for convenience only and do not affect the meaning, construction, or scope of the relevant terms.

(l)This Agreement contains the entire understanding between the parties with respect to its subject matter. All prior agreements, representations, inducements and negotiations, and any and all existing contracts previously executed between the parties with respect to this subject matter are superseded hereby. Without limiting the foregoing, the parties acknowledge and agree that (a) the parties previously entered into an “APUS-Implementation Planning & Consulting” statement of work (such statement of work, “Planning SOW”) and a “Confidentiality and Non-Disclosure Agreement” signed by D2L on November 27, 2018 and American Public Education, Inc. on November 20, 2018 (“Initial NDA”); (b) the Initial NDA is hereby superseded by the terms in this Agreement; (c) the Planning SOW shall be deemed to have been provided under this Agreement and the services and deliverables provided under the Planning SOW shall be deemed to have been provided hereunder and all document deliverables under the Planning SOW are Work Product hereunder; and (d) the “D2L Order Terms and Conditions” attached to the Order Form dated May 1, 2019 (Order # Q-16672) are null and void.

(m)This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute a single instrument.

The parties have agreed to and signed this Agreement through their respective duly authorized representatives on the dates set forth below.

The following Exhibits are attached to these Terms and Conditions and are part of the Agreement and, in the event of any conflict between the Exhibits and the Terms and Conditions, the Terms and Conditions shall prevail:

This Data Processing Addendum (“Addendum” or “DPA”) is part of the Agreement entered into by and between American Public University System, Inc. (“Controller” or “Client”) and D2L Ltd. (“Processor” or “D2L”). The purpose of this Addendum is to outline each party’s respective duties including with relation to applicable Data Protection Laws. Any terms not defined in this Addendum shall have the meaning set forth in the Terms and Conditions. In the event of a conflict between the terms and conditions of this Addendum and other terms and conditions of the Agreement, the terms and conditions of this Addendum shall supersede and control so far as the subject matter concerns the processing of Personal Data, as defined in Section 5 of the Agreement.

1.1“Authorized Employee” means an employee of Processor who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this Addendum or the Agreement, or who otherwise accesses Personal Data.

1.2“Authorized Individual” means an Authorized Employee or Authorized Sub-processor.

1.3“Authorized Sub-processor” means a third-party vendor, agent, reseller, or auditor who has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this Addendum or the Agreement, or who otherwise accesses Personal Data.

1.4“Data Breach” means (a) a breach of security, confidentiality, or integrity leading to the accidental or unlawful destruction loss, alteration, unauthorized disclosure of, or access to, Client Data transmitted, stored, or otherwise Processed; (b) unauthorized intrusion into, control of. access to, modification of, or use of any System used by D2L to secure, defend, protect, or Process Client Data.

1.5“Data Protection Laws” means all regional, national, and international laws, orders, statutes, codes, regulations, ordinances, rules, subordinate legislation, treaties, directives, bylaws, standards or other requirements with similar effect of any governmental or regulatory authority that limit, restrict, or otherwise govern the collection, use, security, storage, protection, or disclosure of Personal Data, including the General Data Protection’ Regulation (EU) 2016/679 (“GDPR”) and California Consumer Protection Act (“CCPA”), and/or any other applicable laws relating to the protection of Personal Data, each as updated from time to time, that apply to D2L or Client in the circumstances governed by the Agreement,

1.6“Data Subject” means an identified or identifiable person to whom Client Data relates.

1.7“Instructions” means the directions, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Controller to Processor and directing Processor to Process Personal Data.

1.8“Privacy Shield Principles” means the Swiss-U.S., UK-U.S., and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, available at https://www.privacyshield.gov/EU-US-Framework.

1.9“Process” or “Processing” means any operation or set of operations which is performed upon the Client Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.10“Services” shall have the meaning set forth in the Agreement.

1.11“System” means any file system, computing system, database, device, equipment, server, website, application, software, storage media, network, infrastructure, networked environment or domain (including, without limitation, all development, quality assurance, staging and production environments) that is relevant to the Agreement or otherwise accessed with respect to the Services.

1.12“Supervisory Authority” means an independent public authority which is established by a member state of the European Union, Iceland, Liechtenstein, or Norway.

2.1Processor’s Obligations. Processor shall Process Personal Data only (a) for the purposes set forth in the Agreement, (b) in accordance with the terms and conditions set forth in this Addendum and any other documented Instructions provided by Controller, and (c) in compliance with applicable Data Protection Laws. Controller is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Processor by or on behalf of Controller, (ii) the means by which Controller acquired any such Personal Data, and (iii) the Instructions it provides to Processor regarding the Processing of such Personal Data. Controller shall not provide or make available to Processor any Personal Data in violation of the Agreement or which is otherwise inappropriate for the nature of the Services. Controller shall indemnify, defend, and hold harmless Processor from and against all claims or losses due to Controller’s non-compliance with its obligations in this section. If and to the extent that D2L is aware that an Instruction from Client infringes applicable law, D2L will promptly notify Client if, in its opinion, an Instruction provided by Client infringes applicable law. if D2L is legally required to Process Personal Data otherwise than as instructed by Client, it shall notify Client before such Processing occurs, unless the law requiring such Processing prohibits D2L from notifying Client, in which case it shall notify Client as soon as that law permits it to do so. D2L shall not assume any responsibility for determining the purposes for which and the manner in which Personal Data is processed.

2.2The subject matter, nature, purpose and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Appendix A to this Addendum.

2.3Following completion of the Services, except as required to be retained by applicable law, at Client’s option, D2L shall return, delete, or destroy Client Data residing on D2L networks at the end of the Term, unless otherwise agreed in writing. In the event that Client opts to have D2L destroy Client Data, D2L shall destroy it using a final, secure and complete method that will render that Client Data permanently unrecoverable. Upon Client’s request, D2L shall certify in writing that it has completed the destruction of that Client Data. If applicable Data Protection Laws prevent D2L from returning or destroying all or part of the Client Data, D2L warrants that it will guarantee the confidentiality of the Client Data and will not actively process the Client Data anymore, and will guarantee the return and/or destruction of the Client Data as requested by Client when the legal obligation to not return or destroy the information is no longer in effect. Prior to the end of the term, Client may use certain export tools within the Services to allow Client to export course content materials in a standard packaged format as well as to export grades and other specific data elements in the Services.

3.1Processor shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee to ensure Authorized Employees are aware of any comply with obligations under the Agreement and Data Protection Laws.

3.2Processor shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Processor, any Personal Data except in accordance with their obligations in connection with the Services.

3.3Processor shall take commercially reasonable steps to limit    access to Personal Data to only Authorized Individuals.

3.4Processor has appointed a data protection officer where such appointment is required by Data Protection Laws. The appointed person may be reached at privacyd21.com.

4.1For purposes of this Section, “Authorized Sub-processor” shall have the same meaning as “Subcontractor” as defined in Section 15(iv) of the Terms and Conditions for those Subcontractors that have access to Personal Data. Controller acknowledges and agrees that Processor may engage the Authorized Sub-processors in accordance with Section 15(iv) of the Terms and Conditions to access and Process Personal Data in connection with the Services. D2L will notify Controller from time to time as to its Authorized Sub-processors, including without limitation upon adding or removing an Authorized Sub-processor, and will provide details, such as a current list of Authorized Sub-processors, upon request. Upon Client’s receipt of such notification, Client shall have ten (10) days to reasonably object, in writing, to the use of any newly listed Authorized Sub-processor. In response to any such objection, Processor shall take commercially reasonable steps to address Client’s concerns. If Processor cannot reasonably address Client’s concerns or fulfil its obligations under the Agreement without the use of the objected-to Authorized Sub-processor, Client shall have the option to terminate the Agreement without recourse.

4.2Processor shall ensure that all Authorized Sub-processors have executed privacy, confidentiality, and data security agreements, which include terms no less restrictive than the terms set forth in Section 4 of the Agreement and this Addendum, that prevent them from disclosing or otherwise Processing any Personal Data both during and after their engagement by Processor. Processor shall conduct reasonable diligence of the data security practices of each such Authorized Sub-processor in accordance with industry standards, including without limitation verifying prior to engaging any Authorized Subprocessor that the Authorized Sub-processor (a) is capable of complying with the obligations of D2L toward Client, to the extent applicable to the services assigned to that Authorized Sub-processor, and (b) has taken and will take appropriate technical and organizational measures to protect Personal Data. D2L warrants that it has conducted and shall conduct such verification, shall document the results of this verification and shall, on request, provide Client with a copy of this verification.

4.3Processor shall, by way of contract or other legal act under European Union or European Union member state law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Sub-processor is subject to obligations regarding the Processing of Personal Data that are no less protective than those to which the Processor is subject under this Addendum.

4.4Processor shall be liable to Controller for the acts and omissions of Authorized Sub-processors to the same extent that Processor would itself be liable under this Addendum had it conducted such acts or omissions.

5.1Processor shall maintain appropriate and reasonable technical and organizational measures to ensure a level of security appropriate to the risk of Processing Client Data.

5.2D2L shall, with regard to the state of the art and costs of implementation as well as taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, implement maintain and comply with comprehensive information and network security programs, practices and procedures that govern the Services (collectively, “Data Security Program”) that: (a) meets current best industry standards; (b) complies with all applicable Data Protection Laws; (c) complies with ISO 27001 and 27018 standards; and (d) is overseen by a primary security manager responsible for managing and coordinating the performance of D2L’s privacy and security obligations under the Agreement and this DPA. D2L shall document its Data Security Program in

written form and shall make those summaries of such documents available to Client for review upon Client’s request. D2L shall keep its Data Security Program current and up-to-date to improve the security of the Data Security Program, but in no event render the Data Security Program less comprehensive, secure or robust.

5.3In assessing the appropriate level of security, D2L shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data transmitted, stored or otherwise Processed.

5.4Without limitation to the generality of Section 5.2, D2L represents, warrants and covenants that it shall, and has adopted and implemented, and will continue to maintain and update, physical, administrative and technical safeguards and other security measures to: (a) maintain all appropriate technical and organizational security and confidentiality measures, and regularly update them, to ensure a level of security appropriate to the risk to Client Data and protect it from threats or hazards to its security and integrity, as well as accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Client Data transmitted, stored or otherwise processed and all other unlawful forms of Processing; (b) prevent, detect, contain, recover, remediate and respond to Data Breaches; (c) enforce the use of secure authentication protocols and devices consistent with best industry standards on any of D2L’s Systems that protect, defend, secure or Process Client Data; (d) enforce secure access control measures consistent with current leading industry standards for access to logical and physical resources on any of D2L’s Systems that protect, defend, secure or Process Client Data; (e) require the use of then-current best industry standard encryption for all storage and transmission of Client Data at a minimum of 256-bit encryption, or whatever higher level of encryption; (f) include automated security measures, including but not limited to current leading industry standard perimeter monitoring and protection systems, auditing systems, and firewalls; (g) take into account the need to ensure on-going confidentiality, integrity, availability and resilience of systems and services Processing Client Data; and (h) take into account the need to be able to restore the availability and access to data in a timely manner in the event of a physical or technical incident.

5.5D2L shall monitor developments in technology and security to ensure that the measures implemented pursuant to this clause remain up to date and appropriate, given the nature of the Client Data and the risks which might arise from its unauthorized access or disclosure.

6.1Where D2L is permitted to transfer Personal Data under Section 15(vii) of the Agreement, any such transfer of Personal Data from member states of the European Union, Iceland, Liechtenstein, Norway, Switzerland or the United Kingdom to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by Processor through one of the following mechanisms; (a) in accordance with the Privacy Shield Principles, or (b) the Standard Contractual Clauses as prescribed by the European Commission (“Model Clauses”).

6.2If transfers are made pursuant to 6.1(a), Processor self-certifies to, and complies with, the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks, as administered by the U.S. Department of Commerce, and shall maintain such self-certification and compliance, and shall; (a) Process all Personal Data that has been transferred pursuant to the Privacy Shield Framework solely in accordance with the Privacy Shield Principles, (b) notify Client if D2L determines that it can no longer meet the foregoing obligation, and (c) in the event that D2L discovers that its Processing of that Personal Data does not comply with the Privacy Shield Principles, cease processing that Personal Data and promptly remediate that Processing to bring it into compliance with subsection (a) above and Data Protection Laws.

6.3The Model Clauses may be varied or terminated only as specifically described in the Model Clauses or applicable law. In the event of any inconsistencies between the Model Clauses and this DPA or other agreements between Client and D2L, the Model Clauses shall take precedence, to the extent applicable. If

transfers are made pursuant to 6.1(b) and such Model Clauses are amended, replaced, repealed, or no longer of legal effect, the parties shall promptly work together in good faith to enter into updated or replacement versions of the Model Clauses or negotiate in good faith a solution to effectuate the transfer of Personal Data in compliance with Data Protection Laws.

6.4Client shall be entitled, at no cost to itself, to suspend, or require D2L to suspend, any transfers of Personal Data which do not comply or which cease to comply with Data Protection Laws. In such case, the parties shall work together in good faith to agree to a solution to enable the transfers of Personal Data to be re-instated.

6.5Processor shall comply with applicable Data Protection Laws with respect to any transfer of Personal Data.

7.1To the extent Controller, in its use of the Services, does not have the ability to correct, amend, block, or delete Personal Data, as required by Data Protection Laws, Processor shall provide full and prompt cooperation and assistance to Controller at Controller’s reasonable request to facilitate such actions to the extent Processor is legally permitted to do so.

7.2Processor shall, to the extent permitted by law, notify Controller without undue delay upon (and, in any event, not more than five (5) business days after) receipt of a request, complaint, or communication received directly by D2L from a Data Subject pertaining to the Data Subject’s Personal Data, including to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making, as well as any other rights conferred on Data Subjects by Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”). If Processor receives a Data Subject Request in relation to Persona! Data, Processor will advise the Data Subject to submit their request to Controller and Controller will be responsible for responding to such request, including, where necessary, by using the functionality of the Services.

7.3Processor shall, at the request of the Controller, apply appropriate technical and organizational measures to assist Controller in complying with Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (a) Controller is itself unable to respond without Processor’s assistance and (b) Processor is able to do so in accordance with all applicable laws, rules, and regulations. If Client does not have access to the relevant Personal Data, such assistance may include, at the reasonable request of Client, that D2L provide Client with (1) full details of the Data Subject Request; and (2) any Personal Data It holds in relation to the Data Subject Request, if required, in a commonly-used, structured, electronic, and machine-readable format.

8.1Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance, where necessary for Controller to comply with its obligations under the Data Protection Laws, conduct a data protection impact assessment and/or to demonstrate such compliance with Data Protection Laws, provided that Controller does not otherwise have access to the relevant information

8.2Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, or other applicable governmental authority, where necessary and where required by the GDPR.

8.3Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum.

8.4Processor shall make available for Controller’s review at https://www.d2l.com/security (a) copies of Processor’s certifications; and/or (b) upon Controller’s request no more than once per calendar year, or upon a Data Breach, reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Personal Data. Should Controller have serious cause to believe that Processor is in material breach of its obligations hereunder, Processor shall allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure that is sufficient to demonstrate Processor’s compliance with its obligations under the Agreement or this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections. However, if the requested audit scope is addressed in an ISO, SOC, or similar audit report performed by a qualified third-party auditor within twelve (12) months of Controller’s request and Processor confirms there are no known material changes in the controls audited. Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

8.5Upon being notified of, or discovering, Processor shall, without undue delay, inform Controller of the Data Breach. Such notification shall include, to the extent known to D2L, and shall be supplemented on an ongoing basis: (i) the general circumstances and extent of any unauthorized Processing of Client Data or intrusion into Systems that are used by D2L to protect or Process Client Data; (ii) the types and volume of Client Data that were Involved; (iii) D2L’s plans for corrective actions to respond to the Data Breach; (iv) the identities of all individuals whose Client Data was or may have been affected; (v) steps taken to secure Client Data and preserve information for any necessary investigation; (vi) the likely consequences and risks of the Data Breach; and (vii) any other related information requested by Client.

8.6D2L shall detect, respond to, and contain all vulnerabilities, activities or other circumstances that caused or gave rise to the Data Breach promptly after discovery of the Data Breach (and, in any event, within [***] after discovery). D2L shall promptly and without unreasonable delay take all necessary and advisable corrective actions, and will reasonably cooperate with Client in all reasonable and lawful efforts to prevent, eradicate, mitigate and rectify such Data Breach.

In the event of a Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under Data Protection Laws, including without limitation applicable (or potentially applicable, based on available information), breach notification laws, with respect to notifying (i) the relevant Supervisory Authority or applicable governmental authority and (ii) Data Subjects affected by such Data Breach, each without undue delay and within the timeframe prescribed by Data Protection Laws.

8.7D2L shall investigate the causes of each Data Breach at D2L’s expense. Upon Client’s request, D2L shall, at its own expense, provide in-depth supplementary reports regarding its investigation of the Data Breach and results of findings. D2L shall, at its own expense, cooperate with Client in investigating and responding to each Data Breach including by allowing prompt access to its facility by Client and Client’s investigator, to investigate, and obtain copies of any information, data or records requested by Client.

8.8D2L shall not notify any parties other than Client and, to the extent required by Data Protection Laws, relevant law enforcement agencies of any Data Breach: (i) unless such notification is agreed to in advance by Client in writing; or (ii) to the extent such notification is provided to another customer of D2L and the Data Breach relates to proprietary information of such other customer, provided that Supplier shall not provide any information or details to such other customer identifying Client or regarding how the Data Breach relates to Client or Personal Data. Where requested by Client, D2L, at its own expense, may be required to provide notifications to affected Data Subjects, affected entities or government bodies (where such notifications must be approved by Client before dissemination).

8.9Processor’s obligation to report or respond to a Data Breach under Sections 8.5 through 8.9 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Data Breach, and the obligations described in Sections 8.5 through 8.9 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller.

8.10If D2L is required by applicable law to disclose any Personal Data to a Supervisory Authority or other governmental authority, then it shall be entitled to do so, provided that: (i) to the extent permitted by applicable law, D2L provides prior written notice of such disclosure to Client within twenty-four (24) hours of receipt of the request and that notice shall include a copy of the request and any related documents; (ii) D2L takes ail reasonable and lawful actions to avoid, and minimize the extent of, that disclosure; (iii) to the extent possible, D2L receives confidentiality undertakings in a form approved by Client from the entity to whom the Personal Data is disclosed; and (iv) before disclosing Personal Data to the Supervisory Authority or other governmental authority, D2L reasonably cooperates with Client to resist that disclosure if Client chooses to do so. Where D2L is legally prohibited from notifying Client of the disclosure, D2L shall use reasonable efforts to request the Supervisory Authority or other governmental authority to direct the request directly to Client.

8.11Contract Terms. Subject to the hierarchy of terms as provided in the preamble to this Addendum, this Addendum is without prejudice to the other rights and obligations of the parties under the Agreement, which shall continue to have full force and effect.

Nature and Purpose of Processing: as specified in the Agreement.

Duration of Processing: Term of the Agreement

Categories of Data Subjects: Controller’s end-users/customers

Type of Personal Data: None, unless such data is provided by Controller; however, such data is not required for proper use of the Services.

Typically, the following data may be provided by the Controller:

Throughout the Term, D2L shall, at a minimum, provide the security safeguards, processes, and procedures set forth at https://www.d2l.com/security/ (“D2L Security Description”) for all Orders. The version of the D2L Security Description in effect as of the Effective Date is incorporated herein by reference. The D2L Security Description may be updated from time-to-time by D2L; however, throughout the Term, D2L shall provide security safeguards, processes, and procedures that are consistent with, or more favorable to Client than, the security safeguards, processes, and procedures described in the attachment. For the avoidance of doubt, and without limiting the foregoing, any fees or other obligations on clients that are added to the D2L Security Description after the Effective Date that are not set forth in the attachment shall not apply to Client.

In addition, D2L agrees to the commitments listed below.

D2L shall make available for Client’s review (i) copies of D2L’s certifications; and/or (ii) upon Client’s request no more than once per calendar year, reports demonstrating D2L’s compliance with prevailing data security standards applicable to the processing of Client’s Personal Data, and executive summaries of the latest penetration test.

D2L shall maintain throughout the Term the following technical and organisational security measures:

D2L maintains a current Escrow Agreement with a third-party vendor (currently Escrow Associates, LLC), and has designated the third-party vendor as its escrow agent (“Escrow Agent”). D2L regularly deposits source code with the Escrow Agent. Provided Client is not in breach of its obligations under the Agreement, including those relating to payment, and should Client elect escrow and pay the related fees, D2L shall list Client as a beneficiary under the Escrow Agreement with the Escrow Agent.

Release conditions under the Escrow Agreement are as follows:

i)    [***]

The pricing on this exhibit applies to all Orders placed by Client under the Agreement for Services for any Client Entity covered under the Agreement. There shall be a separate Order for each Client Entity. From time to time this exhibit may be updated in accordance with Section 18 of the Terms and Conditions to include additional pricing models for fees for the Software (“Data Processing Fees”) that are mutually agreed to by the parties and each Order shall indicate which pricing model applies. The fees set forth on this exhibit and in applicable executed Order(s), and Approved Expenses (as defined in Section 19 of the Terms and Conditions) are the only fees and expenses applicable to the Services.

As at the Effective Date of the Agreement and as set out at [***] the Software consists of the following: