In the course of providing Services to Recipient, EdPower agrees to protect all SDI in accordance with the terms and conditions of this Agreement.
SDI includes but is not limited to:
● All Personally Identifiable Information (“PII”) as defined by the Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C.§1232g and 34 CFR Part 99), the Children’s Online Privacy Protection Act (“COPPA”) (15 U.S.C. §§6501-6506 and 16 CFR Part 312), and Protection of Pupil Rights Amendment (PPRA) (20 U.S.C.§1232h and 34 CFR Part 98).
● All data that are descriptive of or could be used in combination with other data to identify a student or family member/guardian, including, but not limited to, information in the student’s educational record, first and last name, home address, telephone/cell numbers, email address or other information that allows physical or online contact, social security number, student ID number and other identifiers, disciplinary records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, health records, behavioral records, disabilities, socioeconomic information, food purchases, political affiliations, religious information, email, text messages and other network/internet or cellular communications, documents, drawings artwork, biometric records, photos, video, voice recordings, handwriting, web search activity, computer/device identifiers and geolocation data.
● All data that are derived from, calculated with or linked to SDI by Recipient; and
● All data related to students or their families / guardians that may be provided to EdPower by Recipient or an agent of Recipient.
In the provision of the Services to Recipient, EdPower is subject to and will comply with applicable laws and regulations, including but not limited to the following, to the extent applicable:
● FERPA: Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)
● COPPA: Children's Online Privacy Protection Act, (15 U.S.C. §§ 6501–6506, 16 CFR Part 312)
● PPRA: Protection of Pupil Rights Amendment, (20 U.S. Code § 1232h, 34 CFR Part 98)
EdPower agrees to treat all SDI consistently, as covered by and in compliance with the foregoing laws and regulations as well as any new, applicable laws and regulations related to SDI.
1. OBLIGATIONS AND ACTIVITIES OF RECIPIENT
A. Permitted Uses of EdPower Student Data and Information (“SDI”). EdPower shall only use or disclose SDI as required to execute the Services.
B. No Marketing or Advertising. EdPower is prohibited from using SDI to (a) market or advertise to students or families / guardians; (b) inform, influence or enable marketing, advertising or other commercial efforts by a third party; or (c) develop a profile of a student, family member /guardian or group, for any commercial purpose other than providing the Services to Recipient.
C. Data Analysis and Mining. EdPower is prohibited from analyzing or mining SDI for any purpose other than delivering the Services to Recipient under this Agreement, or improving the Services for Recipient. Analysis and mining of SDI to support marketing, advertising or other commercial ventures are prohibited.
D. Data Sharing and Re-Disclosure.
i. Sub-Contractors: Recipient understands and agrees that EdPower may rely on one or more sub-contractors to provide the Services under this Agreement. EdPower may only provide SDI to the sub-contractor(s) if necessary for the furtherance of the Services. EdPower shall ensure its sub-contractor(s) comply with the terms of this Agreement and is responsible for the activities of its sub-contractors.
ii. EdPower will promptly notify Recipient if EdPower discloses SDI to any third party for any of the following reasons:
a. To ensure legal and regulatory compliance.
b. In response to a judicial process in a court in the USA.
c. To protect the privacy of SDI, the safety of users or others,
or the security of the Services.
E. Safeguards.
i. EdPower shall provide Recipient with the name and contact information for a primary and alternate employee of EdPower who shall serve as the Recipient’s primary security contact. In the event of any unauthorized access to or disclosure of SDI, the designated contact shall respond as soon as practicable to any Recipient inquiries.
ii. The identity of all person(s) having access to the SDI will be documented and access will be logged.
iii. Without limiting EdPower’s’s obligations under this Agreement to keep SDI safe and confidential, EdPower shall implement reasonable administrative, physical, and technical infrastructure and procedural safeguards to protect and maintain the integrity, confidentiality and availability of SDI (including backups) that EdPower creates, receives, maintains, transports, or transmits on behalf of Recipient. Such safeguards shall be no less rigorous than current generally accepted industry best practices designed to secure and protect the integrity, confidentiality and availability of PII.
iv. EdPower’s SDI shall be stored, backed up and served only on hardware located physically within the United States.
v. Recipient will ensure that all data that is transmitted between EdPower’s access points and the ultimate server, by EdPower or its disclosures, will use generally accepted industry best practices for secure data transmission.
vi. EdPower agrees to mitigate any actual or potential harmful effects by following generally accepted industry best practices, such as, but not limited to, the following:
a. Have the capability to provide audit trails and or reports of EdPower user activity.
b. Any audit trails, EdPower user activity and system generated logs should be securely stored using generally accepted industry best practices.
c. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with EdPower systems is not degraded or compromised.
d. Maintain a documented Business Continuity Disaster Recovery Plan following generally accepted industry best practices.
e. Maintain physical access controls to on-premises data centers that store SDI.
F. Notice of Disclosure, Security Incident or Breach.
i. Promptly upon becoming aware of any unauthorized disclosure, access or use of SDI, EdPower will take action to close and remediate the breach, determine the scope of the SDI that may have been disclosed, and notify Recipient with the reasons for or cause of the breach (if known), actions taken to close and mitigate the breach, and identification of the SDI that may have been compromised.
ii. Promptly following EdPower’s notification to Recipient of a security incident, breach, or loss of SDI, the parties shall coordinate with each other to investigate the matter. Recipient shall reasonably cooperate with EdPower in investigating the matter and assist EdPower with EdPower’s notification obligations under any applicable notification laws. Recipient agrees to reasonably cooperate with EdPower in handling the incident, including, but not limited to:
a. Assisting with any investigation;
b. Facilitating interviews with Recipient’s employees and others involved in the matter;
c. Making available all relevant records, logs, files, data reporting and other materials requested by EdPower;
d. Providing the tools and procedures designed to recapture stored SDI.
e. Confirming the date of the discovery of the security incident, breach, or loss of SDI.
iii. EdPower shall provide the following information to Recipient as soon as practicable but not later than five (5) business days of becoming aware of any unauthorized disclosure, access, use or loss of SDI:
a. The date of the discovery of the security incident, breach, or loss of SDI;
b. A description of the types of SDI that were involved;
c. Identification of each individual whose SDI has been, or is reasonably believed to have been compromised and any other details necessary to complete an assessment of the risk of harm to said individual(s).
iv. EdPower shall provide Recipient prior review of all press releases and any communications to be sent to affected parties which relates to the release of personal information.
v. EdPower agrees to establish procedures to investigate the security incident, breach, or loss of SDI, to mitigate losses, and to install/implement such safeguards as are needed to protect against any future security incident, breach, or loss of SDI. EdPower agrees to provide a description of these procedures and the specific findings of the investigation to Recipient.
2. COMPLIANCE OF AGENTS
A. EdPower agrees to ensure that any agent, to whom it provides SDI created, received, maintained, transported or transmitted by EdPower on behalf of Recipient, shall comply with the terms of this Agreement.
B. For all employees or subcontractors who have access to SDI, during the term of each subcontractor’s or employee’s employment by EdPower, EdPower shall at all times cause such subcontractor or employee to abide strictly by EdPower’s obligations under this Agreement.
3. AUDIT
EdPower shall make its internal practices, books, and records reasonably available to Recipient, solely to the extent necessary to confirm EdPower’s compliance with the terms of the Agreement; provided, that such audits shall only occur upon no less than thirty (30) days prior written notice to EdPower, during the hours of the normal workday of EdPower, on a date and time mutually agreed upon between EdPower and Recipient, and not more than once annually.
4. INSURANCE
EdPower shall maintain, throughout the term of this Agreement, a Cyber/Privacy insurance policy providing the coverage for each occurrence as shown in the table below, based on the number of EdPower schools in which the Recipient will be providing service.
COVERAGE TYPE
LESS THAN 25 SCHOOLS
25 OR MORE SCHOOLS
Cyber/Privacy Insurance
$1,000,000
$2,000,000
In addition, EdPower shall maintain General Liability insurance in the amount of one million ($1,000,000.00) dollars.
EdPower will provide upon Recipient’s request a certificate of insurance, in a form satisfactory to Recipient (e.g. standard ACORD), evidencing such coverages, and provide annual renewal certificates to EdPower throughout the term of this Agreement.
5. INDEMNITY
A. EdPower Indemnification. To the fullest extent permitted by applicable law, EdPower shall indemnify and hold harmless Recipient and its officers, agents and employees from and against all claims, liabilities, damages, losses, and costs including, but not limited to, reasonable costs and attorneys’ fees at the pre-trial, trial and appellate levels, arising out of or in connection with any non-permitted use or disclosure of SDI by EdPower, its officers, agents, employees or subcontractors.
B. Recipient Indemnification. To the fullest extent permitted by law, Recipient shall indemnify and hold harmless EdPower and its officers, agents and employees from and against all claims, liabilities, damages, losses, and costs including, but not limited to, reasonable costs and attorneys’ fees at the pre-trial, trial and appellate levels, arising out of or in connection with Recipient’s performance under this Agreement, any negligence, recklessness, or intentional wrongful conduct of Recipient, approved disclosures or other persons employed or utilized by Recipient in the performance of this Agreement, or any non-permitted use or disclosure of SDI by Recipient, its officers, agents, employees or subcontractors.
C. Interpretation of Indemnification Obligations. The remedy provided to the indemnified parties under this Section 5 shall be in addition to and not in lieu of any other remedy available under the Agreement, at law or otherwise. The indemnification obligations hereunder shall not be diminished or limited in any way by any insurance maintained by the indemnified party or otherwise available to the indemnified party. The provisions of this Section shall specifically survive the termination or expiration of this Agreement. To the extent any indemnification requirement contained in this Agreement is deemed to be in violation of any applicable law, such provision shall be deemed modified so that the indemnifying party shall be required to furnish the greatest level of indemnification to the indemnified party as was intended by the parties hereto and is permitted under applicable law.