9. Data Privacy and Security
(a) Each Party shall comply with applicable data protection and privacy laws in relation to its performance under this Agreement, including the Family Educational Rights and Privacy Act of 1974 (“FERPA”) and the Children’s Online Privacy Protection Act (“COPPA”). Company shall implement and maintain industry-standard technical and organizational measures to safeguard the System and any Customer Data against unauthorized access, loss, or destruction. In the event of a data breach involving Customer Data, Company will notify Customer without undue delay after becoming aware of the breach, and will provide reasonable cooperation in mitigating its effects.
(b) Pursuant to FERPA, Company is: (i) acting as a school official with a legitimate educational interest; (ii) performing an institutional service or function for which the school would otherwise use employees; (iii) under the direct control of the school with respect to the use and maintenance of covered information (though control is limited as specified in this Section 9(b)(iii) and the relationship of the Parties remains that of independent contractors for purposes of this Agreement); and (iv) using the covered information only for an authorized purpose under FERPA. Company acknowledges it may not re-disclose covered information under FERPA to third parties or affiliates, unless otherwise permitted under FERPA, without permission from Customer or pursuant to court order.
(c) During the Term of this Agreement, the Parties agree to comply with Ohio’s Senate Bill 29, also referred to as the “Student Data Privacy Act,” if Customer is an Ohio-based entity. Each Party agrees to ensure the appropriate security safeguards are in place to protect educational records. Such protections include a restriction on unauthorized access by Company’s employees or contractors, whereas such employees and/or contractors are only authorized to access educational records through the System as necessary to fulfill their official duties and the terms of this Agreement. All other access to educational records will be strictly prohibited. The audit and monitoring rights of Company expressed in Section 10, and Customer’s right to monitor and access Customer Data through the System, are permitted rights under the Student Data Privacy Act due to the fact the System is limited to a noncommercial, educational purpose for instruction, technical support, and/or exam proctoring by the relevant school district’s employees, student teachers, and staff contracted by a district and Company. Beginning August 1, 2025, and no later than the first day of August of each relevant school year during the Term, Customer shall provide parents and students direct and timely notice, by mail, electronic mail, or other direct form of communication, of the System and its effect on or access to a student’s educational records. Such notice shall: (i) identify the System and Company as the provider of the System; (ii) describe the educational records affected or accessed by the System; (iii) include information about Company’s and Customer’s audit, inspection, and monitoring rights; (iv) provide Customer contact information to which a parent or student may direct questions or concerns regarding the System to Customer; and (v) inform parents and students of their rights to inspect this Agreement. Each Party agrees to reasonably cooperate with the other Party so each Party may fulfill its obligations under this Agreement and the Student Data Privacy Act. In the event that educational records maintained by the System are subject to a breach of the security of the data as described in the Student Data Privacy Act, Company shall disclose to Customer all information necessary to properly inform Customer of the incident pursuant to the terms of the Student Data Privacy Act. Moreover, within seventy-two (72) hours of the incident, Customer will notify parents and students of the situation, describing which features of the System were accessed and the threat of the breach, if any.
(d) During the Term of this Agreement, the Parties agree to comply with Illinois’ Student Online Personal Protection Act (“SOPPA”) if Customer is an Illinois-based entity. Pursuant to SOPPA, Company shall: (i) implement and maintain reasonable security procedures and practices that meet (or exceed) industry standards designed to protect student information from unauthorized access, destruction, use, modification, or disclosure; (ii) delete, within a reasonable time period, a student’s protected information under SOPPA, if requested by Customer (and not otherwise requested to maintain by a student’s parent); (iii) publicly disclose information about its collection, use, and disclosure of students’ protected information under SOPPA through its privacy policy; (iv) delete or transfer to Customer all students’ protected information under SOPPA if such information is no longer needed for the purposes of this Agreement within one (1) year of such determination; (v) notify Customer of any breach of students’ protected information under SOPPA within the most expedient time possible and without unreasonable delay, but no later than thirty (30) days after the determination that a breach has occurred; (vi) provide Customer a list of any third parties or affiliates to whom Company is currently, or will be, disclosing students’ protected information to for purposes of fulfilling its obligations under this Agreement (which list shall be updated at least biannually by the beginning of each Illinois fiscal year and at the beginning of each calendar year); (vii) be prohibited from selling or renting students’ protected information or using such information to engage in targeted advertising; and (viii) otherwise only use such protected student information for purposes permitted by SOPPA.
Customer shall publish this Agreement on its school website in order to comply with SOPPA. In the event of a data breach that impacts students’ protected information under SOPPA, Company will provide a description to Customer regarding how such breach is attributed to Company and how any costs and expenses incurred in investigating or remediating the breach will be allocated between Customer and Company. Such costs and expenses may include, but are not limited to: providing notification of the breach to parents and students whose covered information was compromised, or to regulatory agencies or entities required by law or contract to be notified of such breach; providing credit monitoring to students whose covered information was exposed; covering legal fees, audit costs, fines, and any other fees or damages imposed against Customer as a result of the breach; and/or providing any other notification requirements adopted by the state of Illinois.
In the event of a data breach under SOPPA, Customer shall be required to notify the parents and students whose covered information was accessed in such breach no later than thirty (30) days after receipt of the notice or determination that a breach has occurred from Company.