DATA SHARING AND PRIVACY

DATA SHARING POLICY

The term "Confidential Information" shall mean any and all information, which is disclosed by either party to the other verbally, electronically, visually, or in a written or other tangible form, which is either identified by Discloser as confidential or proprietary or should be reasonably understood to be confidential or proprietary. Confidential Information shall include all information or data provided by the Parties to each other, including, but not limited to: trade secrets, patented or copyrighted information, computer programs, software, software documentation, formulas, data, inventions, algorithms, techniques, processes, marketing plans, strategies, forecasts, third party confidential information, and customer lists. However, the Builder retains ownership of any existing or newly developed underlying technology associated with the project, while the specific software code and product developed shall become the property of the Recipient.
Unless otherwise permitted by this Agreement, Recipient shall not disclose, publish, release, transfer or otherwise make available Confidential Information in any form to, or for the use or benefit of, any person or entity. The Parties recognize that the disclosure of Confidential Information would cause irreparable injury and, therefore, the injured Party shall be entitled to injunctive relief in addition to any other remedy, including claims for damages and attorney’s fees. To the extent required, Recipient’s internal disclosure of Confidential Information shall be only to those employees or agents having a need to know such information in connection with this Agreement and only insofar as such persons are bound by a nondisclosure agreement consistent with this Agreement.
This Agreement imposes no obligation upon the parties with respect to Confidential Information which either party can establish by legally sufficient evidence: (a) was in the possession of, or was rightfully known by Recipient without an obligation to maintain its confidentiality prior to receipt from Discloser; (b) is or becomes generally known to the public without violation of this Agreement; (c) is obtained by Recipient in good faith from a third party having the right to disclose it without an obligation of confidentiality; (d) is independently developed by Recipient without reliance upon the Confidential Information or the participation of individuals who have had access to the Confidential Information; or (e) is required to be disclosed by court order, provided diligent efforts are undertaken to limit disclosure, and once notice has been provided to Discloser of such court order.
The Confidential Information is provided “as-is” and Discloser makes no warranty of any kind with respect to the suitability, accuracy or non-infringement of third party rights. Recipient does not acquire any license rights, title or interest in the Confidential Information except the limited right to use the Confidential Information in accordance with this Agreement.
Student Educational Records. The following provisions of this section shall apply to the extent, if any, that Customer Data includes any student educational records. Nothing in this Agreement is intended to diminish any students’ (or their parent’s) rights in relation to their educational records. The parties acknowledge that student educational records are subject to the United States Family Educational Rights and Privacy Act (FERPA) and may be subject to other federal, state, and local privacy laws and regulations. Each party agrees to safeguard student educational records in its possession or control in compliance with all applicable requirements of FERPA and such other laws and regulations. EdPower (dba) specifically agrees not to disclose any personally identifiable information from education records in violation of FERPA, not to use such information for any sales, marketing, advertising, or other prohibited purposes, and to protect such information as Confidential Information of Customer for purposes of this Agreement. The parties agree that EdPower (dba) is permitted to process or monitor such information solely to provide and maintain the integrity of the Hosted Service. EdPower (dba) will promptly notify Customer of any known unauthorized use or disclosure of student educational records in EdPower (dba) possession or control, and will take commercially reasonable corrective efforts to mitigate the effects and to prevent the recurrence of such violation.
Effect of Termination. Upon the expiration or any termination of this Agreement (or of the applicable Service Annex): (i) all rights granted by Builder hereunder to access and use the Hosted Service will automatically terminate; (ii) Customer and all Authorized Users will immediately cease all use of the Hosted Service; and (iii) each party will return or delete, and make no further use of, any Confidential Information of the other party in its possession or control. Upon any expiration or termination of this Agreement (or of the applicable Service Annex), Builder will have no obligation to maintain or provide access to any Customer Data or Customer Content, and may delete all Customer Data and Customer Content stored in the Hosted Service or otherwise in Builder's possession or control. For clarity, if fewer than all Service Annexes are being terminated, the foregoing will not be construed as requiring or permitting either party to delete or return information that is pertinent to any continuing Hosted Service. In the event of termination, the Builder agrees to provide all necessary assistance to the Recipient for a smooth transition, including but not limited to, providing all relevant software codes, documentation, and other materials related to the software product developed. This transition should be accomplished in a manner that causes minimum disruption to the Recipient's operation. The specifics of such transition will be agreed upon by the parties as part of the termination process.

US PRIVACY POLICY

In the course of providing Services to Recipient, EdPower agrees to protect all SDI in accordance with the terms and conditions of this Agreement. SDI includes but is not limited to:

● All Personally Identifiable Information (“PII”) as defined by the Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C.§1232g and 34 CFR Part 99), the Children’s Online Privacy Protection Act (“COPPA”) (15 U.S.C. §§6501-6506 and 16 CFR Part 312), and Protection of Pupil Rights Amendment (PPRA) (20 U.S.C.§1232h and 34 CFR Part 98).
● All data that are descriptive of or could be used in combination with other data to identify a student or family member/guardian, including, but not limited to, information in the student’s educational record, first and last name, home address, telephone/cell numbers, email address or other information that allows physical or online contact, social security number, student ID number and other identifiers, disciplinary records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, health records, behavioral records, disabilities, socioeconomic information, food purchases, political affiliations, religious information, email, text messages and other network/internet or cellular communications, documents, drawings artwork, biometric records, photos, video, voice recordings, handwriting, web search activity, computer/device identifiers and geolocation data.
● All data that are derived from, calculated with or linked to SDI by Recipient; and
● All data related to students or their families / guardians that may be provided to EdPower by Recipient or an agent of Recipient.

In the provision of the Services to Recipient, EdPower is subject to and will comply with applicable laws and regulations, including but not limited to the following, to the extent applicable:

● FERPA: Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)
● COPPA: Children's Online Privacy Protection Act, (15 U.S.C. §§ 6501–6506, 16 CFR Part 312)
● PPRA: Protection of Pupil Rights Amendment, (20 U.S. Code § 1232h, 34 CFR Part 98)

● GDPR: General Data Protection Regulation (EU) 2016/679 (“GDPR”, “Regulation”)

EdPower agrees to treat all SDI consistently, as covered by and in compliance with the foregoing laws and regulations as well as any new, applicable laws and regulations related to SDI.

1. OBLIGATIONS AND ACTIVITIES OF RECIPIENT

A. Permitted Uses of EdPower Student Data and Information (“SDI”). EdPower shall only use or disclose SDI as required to execute the Services.
B. No Marketing or Advertising. EdPower is prohibited from using SDI to (a) market or advertise to students or families / guardians; (b) inform, influence or enable marketing, advertising or other commercial efforts by a third party; or (c) develop a profile of a student, family member /guardian or group, for any commercial purpose other than providing the Services to Recipient.
C. Data Analysis and Mining. EdPower is prohibited from analyzing or mining SDI for any purpose other than delivering the Services to Recipient under this Agreement, or improving the Services for Recipient. Analysis and mining of SDI to support marketing, advertising or other commercial ventures are prohibited.
D. Data Sharing and Re-Disclosure.
i. Sub-Contractors: Recipient understands and agrees that EdPower may rely on one or more sub-contractors to provide the Services under this Agreement. EdPower may only provide SDI to the sub-contractor(s) if necessary for the furtherance of the Services. EdPower shall ensure its sub-contractor(s) comply with the terms of this Agreement and is responsible for the activities of its sub-contractors.
ii. EdPower will promptly notify Recipient if EdPower discloses SDI to any third party for any of the following reasons:
a. To ensure legal and regulatory compliance.
b. In response to a judicial process in a court in the USA.
c. To protect the privacy of SDI, the safety of users or others,
or the security of the Services.

E. Safeguards.

i. EdPower shall provide Recipient with the name and contact information for a primary and alternate employee of EdPower who shall serve as the Recipient’s primary security contact. In the event of any unauthorized access to or disclosure of SDI, the designated contact shall respond as soon as practicable to any Recipient inquiries.

ii. The identity of all person(s) having access to the SDI will be documented and access will be logged.
iii. Without limiting EdPower’s’s obligations under this Agreement to keep SDI safe and confidential, EdPower shall implement reasonable administrative, physical, and technical infrastructure and procedural safeguards to protect and maintain the integrity, confidentiality and availability of SDI (including backups) that EdPower creates, receives, maintains, transports, or transmits on behalf of Recipient. Such safeguards shall be no less rigorous than current generally accepted industry best practices designed to secure and protect the integrity, confidentiality and availability of PII.
iv. EdPower’s SDI shall be stored, backed up and served only on hardware located physically within the United States.
v. Recipient will ensure that all data that is transmitted between EdPower’s access points and the ultimate server, by EdPower or its disclosures, will use generally accepted industry best practices for secure data transmission.
vi. EdPower agrees to mitigate any actual or potential harmful effects by following generally accepted industry best practices, such as, but not limited to, the following:
a. Have the capability to provide audit trails and or reports of EdPower user activity.
b. Any audit trails, EdPower user activity and system generated logs should be securely stored using generally accepted industry best practices.
c. Conduct or undergo system level testing whenever new functionalities are added to the system to reconfirm system security measures are retained and functional, and that interaction with EdPower systems is not degraded or compromised.
d. Maintain a documented Business Continuity Disaster Recovery Plan following generally accepted industry best practices.
e. Maintain physical access controls to on-premises data centers that store SDI.

F. Notice of Disclosure, Security Incident or Breach.
i. Promptly upon becoming aware of any unauthorized disclosure, access or use of SDI, EdPower will take action to close and remediate the breach, determine the scope of the SDI that may have been disclosed, and notify Recipient with the reasons for or cause of the breach (if known), actions taken to close and mitigate the breach, and identification of the SDI that may have been compromised.
ii. Promptly following EdPower’s notification to Recipient of a security incident, breach, or loss of SDI, the parties shall coordinate with each other to investigate the matter. Recipient shall reasonably cooperate with EdPower in investigating the matter and assist EdPower with EdPower’s notification obligations under any applicable notification laws. Recipient agrees to reasonably cooperate with EdPower in handling the incident, including, but not limited to:
a. Assisting with any investigation;
b. Facilitating interviews with Recipient’s employees and others involved in the matter;

c. Making available all relevant records, logs, files, data reporting and other materials requested by EdPower;
d. Providing the tools and procedures designed to recapture stored SDI.
e. Confirming the date of the discovery of the security incident, breach, or loss of SDI.

iii. EdPower shall provide the following information to Recipient as soon as practicable but not later than five (5) business days of becoming aware of any unauthorized disclosure, access, use or loss of SDI:
a. The date of the discovery of the security incident, breach, or loss of SDI;
b. A description of the types of SDI that were involved;
c. Identification of each individual whose SDI has been, or is reasonably believed to have been compromised and any other details necessary to complete an assessment of the risk of harm to said individual(s).
iv. EdPower shall provide Recipient prior review of all press releases and any communications to be sent to affected parties which relates to the release of personal information.
v. EdPower agrees to establish procedures to investigate the security incident, breach, or loss of SDI, to mitigate losses, and to install/implement such safeguards as are needed to protect against any future security incident, breach, or loss of SDI. EdPower agrees to provide a description of these procedures and the specific findings of the investigation to Recipient.

2. COMPLIANCE OF AGENTS

A. EdPower agrees to ensure that any agent, to whom it provides SDI created, received, maintained, transported or transmitted by EdPower on behalf of Recipient, shall comply with the terms of this Agreement.
B. For all employees or subcontractors who have access to SDI, during the term of each subcontractor’s or employee’s employment by EdPower, EdPower shall at all times cause such subcontractor or employee to abide strictly by EdPower’s obligations under this Agreement.

3. AUDIT

EdPower shall make its internal practices, books, and records reasonably available to Recipient, solely to the extent necessary to confirm EdPower’s compliance with the terms of the Agreement; provided, that such audits shall only occur upon no less than thirty (30) days prior written notice to EdPower, during the hours of the normal workday of EdPower, on a date and time mutually agreed upon between EdPower and Recipient, and not more than once annually.

4. INSURANCE

EdPower shall maintain, throughout the term of this Agreement, a Cyber/Privacy insurance policy providing the coverage for each occurrence as shown in the table below, based on the number of EdPower schools in which the Recipient will be providing service.

COVERAGE TYPE

LESS THAN 25 SCHOOLS

25 OR MORE SCHOOLS

Cyber/Privacy Insurance

$1,000,000

$2,000,000

In addition, EdPower shall maintain General Liability insurance in the amount of one million ($1,000,000.00) dollars.
EdPower will provide upon Recipient’s request a certificate of insurance, in a form satisfactory to Recipient (e.g. standard ACORD), evidencing such coverages, and provide annual renewal certificates to EdPower throughout the term of this Agreement.

5. INDEMNITY
A. EdPower Indemnification. To the fullest extent permitted by applicable law, EdPower shall indemnify and hold harmless Recipient and its officers, agents and employees from and against all claims, liabilities, damages, losses, and costs including, but not limited to, reasonable costs and attorneys’ fees at the pre-trial, trial and appellate levels, arising out of or in connection with any non-permitted use or disclosure of SDI by EdPower, its officers, agents, employees or subcontractors.
B. Recipient Indemnification. To the fullest extent permitted by law, Recipient shall indemnify and hold harmless EdPower and its officers, agents and employees from and against all claims, liabilities, damages, losses, and costs including, but not limited to, reasonable costs and attorneys’ fees at the pre-trial, trial and appellate levels, arising out of or in connection with Recipient’s performance under this Agreement, any negligence, recklessness, or intentional wrongful conduct of Recipient, approved disclosures or other persons employed or utilized by Recipient in the performance of this Agreement, or any non-permitted use or disclosure of SDI by Recipient, its officers, agents, employees or subcontractors.
C. Interpretation of Indemnification Obligations. The remedy provided to the indemnified parties under this Section 5 shall be in addition to and not in lieu of any other remedy available under the Agreement, at law or otherwise. The indemnification obligations hereunder shall not be diminished or limited in any way by any insurance maintained by the indemnified party or otherwise available to the indemnified party. The provisions of this Section shall specifically survive the termination or expiration of this Agreement. To the extent any indemnification requirement contained in this Agreement is deemed to be in violation of any applicable law, such provision shall be deemed modified so that the indemnifying party shall be required to furnish the greatest level of indemnification to the indemnified party as was intended by the parties hereto and is permitted under applicable law.

END USER LICENSING AGREEMENT TERMS AND CONDITIONS

1. SERVICES

1.1 Use Limitations. Customer and Authorized Users may access and use the Hosted Service solely during the applicable term of use for Customer’s internal education-related purposes. Such limits may include, as applicable, caps on the number of Authorized Users for the Hosted Service, the number of students for whom the Hosted Service may be used, and/or the volume of data that may be processed or stored. Customer will not permit access to or use of the Hosted Service for any other purpose, or in violation of any applicable usage limit, or by anyone other than Authorized Users. Customer will ensure that the Hosted Service is accessed and used in compliance with all applicable laws and regulations and the rights of others.

1.2 Restrictions. Customer will not, and shall ensure that Authorized Users do not, interfere with or disrupt the Hosted Service or attempt to gain access to any related systems or networks to which access is restricted. Customer will not: (i) copy, frame or mirror any portion of the Hosted Service; (ii) sell, resell, rent or lease the Hosted Service; (iii) decompile, reverse engineer or otherwise attempt to obtain source code of the Hosted Service; (iv) attempt to modify the Hosted Service; (v) use the Hosted Service to store any data or information that is unlawful or that violates a third party’s rights, including without limitation a third party’s privacy rights; (vi) access or use the Hosted Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes; or (vii) encourage, enable, or permit any Authorized User or third party to do any of the foregoing.

1.3 Data Maintenance and Backup. EdPower will follow its archival procedures for Customer Data as established by EdPower in its reasonable discretion. In the event of any loss or corruption of Customer Data, EdPower will use its commercially reasonable efforts to restore the lost or corrupted Customer Data from the latest backup of such Customer Data maintained by EdPower in accordance with the archival procedure as established by EdPower in its reasonable discretion.. EdPower will not be responsible for any loss, destruction, alteration, unauthorized disclosure or corruption of Customer Data caused by any third party. EdPower’s efforts to restore lost or corrupted customer data pursuant to this section will constitute EdPower’s sole liability and customer’s sole and exclusive remedy in the event of any loss or corruption of customer data.

2. CUSTOMER OBLIGATIONS

2.1 Customer Data and Content. Customer will be solely responsible for the accuracy, quality, suitability, integrity and legality of all Customer Data and Customer Content, if any, and for obtaining any third-party permissions needed in relation to the Customer Data and Customer Content.

2.2 Security. Customer will: (i) use commercially reasonable efforts to prevent unauthorized access to or use of the Hosted Service, and will notify EdPower promptly of any such unauthorized access or use; and (ii) keep confidential and not disclose to any third parties, and will ensure that Authorized Users keep confidential and do not disclose to any third parties, any user identifications, account numbers, passwords, or other similar information for the Hosted Service.

2.3 Enforcement. Customer will promptly notify EdPower of any suspected or alleged breach and will cooperate with EdPower with respect to: (i) any investigation by EdPower of any suspected or alleged breach; and (ii) any action by EdPower to enforce these terms and conditions of use. EdPower may suspend or terminate any Authorized User’s access to the Hosted Service upon notice to Customer in the event that EdPower reasonably determines that such Authorized User has breached these terms and conditions of use.

GDPR COMPLIANCE POLICY

Policy Owner: Joe Wallace

Effective Date: Aug 1, 2023

Application

This policy applies to all employees, contractors, and vendors while doing business with EdPower and others who have access to the European Union (EU) and the European Economic Area (EEA) data subject information (“personal data”) in connection with EdPower ’s operating activities.

Policy

EdPower is committed to protecting the security, confidentiality, and privacy of its information resources including EU and EEA personal data in accordance with the requirements set forth in the General Data Protection Regulation (EU) 2016/679 (“GDPR”, “Regulation”). Personal data shall only be processed when there is a legal basis to do so, data shall be managed to ensure that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. All employees and contractors of EdPower share the responsibility for safeguarding personal data to which they have access.

When performing commercial activities in support of EdPower products and services that impact EU/EEA personal data, EdPower may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use data which may trigger compliance requirements with the provisions applicable to GDPR. This policy and the GDPR Policies adopted hereunder are intended to support the mission of EdPower and to facilitate data processing activities that are important to EdPower by:

Ensuring compliance with requirements imposed by GDPR and EdPower ’s regulatory obligations
Providing for the establishment of GDPR Policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data
Setting forth the roles and responsibilities necessary for EdPower to meet its obligations with respect to activities related to the processing of personal data in accordance with GDPR

Roles and Responsibilities

Policy Adoption

EdPower shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate GDPR Policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect personal data against reasonably anticipated threats or hazards and unauthorized uses or disclosures. All relevant EdPower stakeholders shall cooperate with EdPower in the development and implementation of the GDPR Policies.

The EdPower Information Security and Data Privacy Policies are a component of the GDPR Policies and implement controls which support GDPR compliance.

Responsible Person

Joe Wallace, CEO, jwallace@myedpower.com, 208 258 2570 has been assigned responsibility for overall oversight of EdPower’s GDPR compliance program.

Data Protection Officer

The Data Protection Officer (DPO) shall have the responsibilities set forth in this Policy and GDPR Article 39. The DPO is tasked with daily and ongoing oversight and management of EdPower’s GDPR Compliance Program, which includes the following responsibilities:

Monitoring EdPower’s internal compliance with GDPR
Providing guidance at the earliest stage possible on all aspects of data protection
Keeping EdPower stakeholders appraised of changes to GDPR and other relevant laws and regulations
Assisting the controller or processor in monitoring internal compliance with the Regulation, including:
- Collecting information to identify processing activities
- Analyzing and checking the compliance of processing activities
- Informing, advising and issuing recommendations to the controller or the processor
Acting in an independent manner, and ensuring there is no conflict of interest in other roles or interests that the DPO may hold
Maintaining inventories of all personal data stored on behalf of the data controller or processor
Responding to security, privacy, and data access requests and complaints from data subjects
Managing data security and critical business continuity issues that could impact personal data
Providing guidance, as requested, to the data controller to complete a data protection impact assessment (“DPIA”)
Providing guidance on responding to accidental or malicious activity that could impact personal data
Cooperate with the supervisory authority as needed
To act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter

The Data Protection Officer is: Joe Wallace, CEO, jwallace@myedpower.com, 208 258 2570

Article 27 Local Representative

For entities operating outside of the EU, Representatives must be named (a Representative is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under the GDPR.”). Representatives must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. Companies operating in the UK must also appoint a UK Representative. Primary responsibilities include:

Serving as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities
Understanding current data protection laws, legal or compliance requirements, and interfacing with regulatory authorities

Representative(s) is/are:

EU Representative: Education Elephant representative

UK Representative: Education Elephant representative

Implementation

Data Protection

All personal data requires a legal basis for processing and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.

Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by EdPower systems.
Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse
Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to GDPR and the handling of personal data as well as the Data Subject Access Request (DSAR) procedure
EdPower will not transmit EU or UK PII to any third-party or vendor until an appropriate Data Protection Addendum has been fully executed by EdPower and the third-party.
The company shall retain Record of Processing Activity in accordance with Article 30 of the GDPR. Records shall include:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

Breach Notification

Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties in accordance with the GDPR notification requirements and the Incident Response Policy.

Data Subject Access Requests (DSAR/SAR)

Subject to the exceptions noted below in this policy, EdPower will comply with any SAR concerning the following rights of the data subject:

Access (a copy of the personal data undergoing processing)
Rectification of personal data (correction of data stored or processed)
Erasure (‘right to be forgotten’)
Restriction of processing
Notification regarding rectification or erasure
Data portability (In the event of a Data Portability Request, EdPower will export the customers data in an industry-standard format and make it internet accessible for download only by the data subject)
Objection to processing (withdrawal of consent to processing)
Automated individual decision-making, including profiling
Do Not Sell requests under the CCPA

SAR when EdPower is the data controller:

A SAR must be made via EdPower support system by sending an email to support@myedpower.com to initiate the SAR process.
Where required, the data subject must provide reasonable evidence of their identity in the form of valid identification of identity, for example, email verification.
When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure.
If a SAR is submitted by an agent, the submission must include the identification of the data subject.

SAR when EdPower is the data processor:

A SAR must be made via EdPower support system by sending an email to support@myedpower.com to initiate the SAR process.
The controller must identify the SAR that is being requested.

SAR requirements:

The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; EdPower will acknowledge any manual requests within 10 business days.
EdPower has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
The SAR application will be documented and can be audited through EdPower’s internal processes.

EdPower as the data processor

The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; EdPower will acknowledge any manual requests within 10 business days.
EdPower has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
The SAR application will be documented and can be audited through EdPower’s internal processes.

EdPower as the data controller

The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; EdPower will acknowledge any manual requests within 10 business days.
EdPower has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
The SAR application will be documented and can be audited through EdPower’s internal processes.

SAR Exemptions

EdPower may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer or CEO

SAR Limits

Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by EdPower that are requested by the data subject, EdPower may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.

Compelled Disclosure

EdPower governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands.

Upon receipt of legal demands for information, EdPower will immediately notify the CEO, and Data Protection Officer. EdPower will investigate the demands, and if it is determined at EdPower’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. We are unable to process overly broad or vague demands, and we will not disclose information that is not specifically demanded, except in response to follow-up demands.

EdPower may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.

All external communications with customers, regulators and law enforcement shall be approved by EdPower.

Enforcement

The CEO and Data Protection Officer are responsible for the enforcement of this policy. Employees who may have questions should contact the Data Protection Officer as appropriate.

Disciplinary Action

Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.

Reporting

All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to CEO or Data Protection Officer immediately, or via the incident reporting process at support@myedpower.com.

As long as a report is made honestly and in good faith, EdPower will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.

DATA SHARING AND PRIVACY

DATA SHARING POLICY

US PRIVACY POLICY

END USER LICENSING AGREEMENT TERMS AND CONDITIONS

GDPR COMPLIANCE POLICY

Application

Policy

Roles and Responsibilities

Policy Adoption

Responsible Person

Data Protection Officer

Article 27 Local Representative

Implementation

Data Protection

Breach Notification

Data Subject Access Requests (DSAR/SAR)

SAR when EdPower is the data controller:

SAR when EdPower is the data processor:

SAR requirements:

EdPower as the data processor

EdPower as the data controller

SAR Exemptions

SAR Limits

Compelled Disclosure

Enforcement

Disciplinary Action

Reporting

Version History

Subscribe to get all the latest news and updates

ABOUT US

Contact us
About
Leadership Team
Partners
Privacy Policy

QUICK LINKS

PRODUCTS

EdHub
EdFolio
EdAssess
EdInsights

Resources
Customer Support
Case Studies
Blog

DATA SHARING AND PRIVACY

DATA SHARING POLICY

Subscribe to get all the latest news and updates

EdHub EdFolio EdAssess EdInsights

Resources Customer Support Case Studies Blog

EdHub
EdFolio
EdAssess
EdInsights

Resources
Customer Support
Case Studies
Blog