How we protect student & educator data

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Master Services Agreement between the applicable school district (“you” or “your”) and IEP Assure, Inc. (“Agreement”) and reflects our agreement with respect to the Processing of Personal Data by IEP Assure as a Processor on your behalf.

In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency.

Definitions

The terms used in this DPA shall have the meanings set forth in this DPA or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the Processing of Personal Data under the Agreement, including without limitation, the Family Educational Rights and Privacy Act (“FERPA”) and other applicable U.S. federal and state privacy laws, in each case as amended, repealed, consolidated, or replaced from time to time.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“Instructions” means the written, documented instructions issued by you to IEP Assure, and directing IEP Assure to perform a specific or general action with regard to Personal Data.

“Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.

“Privacy Authority” means any attorney general, or other regulator with responsibility for privacy or data protection matters.

“Process,” “Processing,” or “Processed” means any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-processors in connection with the provision of the Services. “Security Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Services” means the services as described in the Agreement or any related order form.

“Sub-processor” means any Processor engaged by us to assist in fulfilling our obligations with respect to the Processing of Personal Data under the Agreement.

1. IEP Assure’s Obligations

1.1 Compliance with Instructions. We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Services until such time as you issue new lawful Instructions with regard to the Processing.

1.2 Processing Restrictions. We will Process Personal Data strictly for the purpose of performing the Services under the Agreement (“Business Purpose”) or as otherwise permitted by Data Protection Laws. Further, we certify that we will not (i) “Sell” or “Share” Personal Data (as those terms are defined by Data Protection Laws); (ii) Process Personal Data outside the direct business relationship between the parties, unless required by applicable law; or (iii) combine your Personal Data with Personal Data that we collect or receive from another source (other than information we receive from another source in connection with our obligations under the Agreement). You have the right to take reasonable and appropriate steps to help ensure that we use Personal Data in a manner consistent with your obligations under Data Protection Laws. Upon notice, you have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of Personal Data. The parties acknowledge and agree that the disclosure of Personal Data by you to us does not form part of any monetary or other valuable consideration exchanged between the parties.

1.3 FERPA. To the extent we receive or have access to Personally Identifiable Information in Education Records (as defined under FERPA), we act as a school official and will use such data solely to perform our obligations under the Agreement. We will not disclose this data except as permitted by FERPA or the Agreement, will maintain its confidentiality and security in accordance with FERPA, and will promptly notify you of any unauthorized use or disclosure. Upon termination or expiration of the Agreement, we will return or securely destroy this data unless retention is required by law.

1.4 Security and Confidentiality. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Security Breaches, as described under Schedule B to this DPA. Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

1.5 Security Breaches. We will notify you without undue delay after we become aware of any Security Breach affecting your Personal Data and will provide timely information relating to the Security Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Security Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.

1.6 Deletion or Return of Personal Data. We will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Services in accordance with the procedures set out in the Agreement. This term will apply except where we are required by applicable law to retain some or all of the Personal Data, or where we have archived Personal Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices.

1.7 Data Subject Requests. We may provide you with controls that you can use to retrieve, correct, delete, or restrict Personal Data, which you can use to assist you in connection with your obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under Data Protection Laws (“Data Subject Requests”). To the extent that you are unable to independently address a Data Subject Request through the Services, then upon your written request, we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

1.8 Sub-processors. You agree we may engage Sub-processors to Process Personal Data on your behalf. For example, we engage Sub-processors to assist us with hosting and infrastructure, and we may engage with Sub-processors to support product features and integrations. We have currently appointed, as Sub-processors, the third parties listed at our Sub-processors Page (“Sub-processors Page”). You may subscribe to receive notifications by email if we make changes to the Sub-processors Page. If you opt in to receive such email, we will notify you at least 30 days prior to any such changes.

We will give you the opportunity to object to the engagement of new Sub-processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-processor, or permit you to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).

We will impose data protection terms on our Sub-processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processors. We will remain responsible for any acts or omissions of such Sub-processors that cause us to breach any of our obligations under this DPA.

1.9 Cooperation and Demonstrating Compliance. To the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities. We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, where required by applicable law. Further, at your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year.

2. Your Obligations

2.1 Compliance with Laws. Within the scope of the Agreement and your use of the Services, you will be responsible for complying with all requirements that apply to you under Data Protection Laws with respect to your Processing of Personal Data. You acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Personal Data and the means by which you acquired such data; (ii) complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of Personal Data, including providing adequate notices, obtaining any necessary consents and authorizations, and honoring opt-out preferences (particularly for use for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) complying with all laws applicable to any messages or other content created, sent, or managed through the Services (including those relating to obtaining consents to send text and in-app messages, the content of text and in-app messages, and text message and in-app deployment practices); and (v) ensuring that your use of Personal Data complies with Data Protection Laws and is strictly limited to the purposes set out in the Agreement (including this DPA). You will inform us without undue delay if you are not able to comply with your responsibilities under this section or Data Protection Laws.

2.2 Instructions. You are responsible for ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws. The parties agree that the Agreement (including this DPA), together with your use of the Services in accordance with the Agreement, constitute your complete Instructions to us in relation to IEP Assure’s Processing of Personal Data, so long as you may provide additional instructions during the Term that are consistent with the Agreement and the nature and lawful use of the Services.

2.3 Security. You are responsible for independently determining whether the data security provided for in the Services adequately meets your obligations under Data Protection Laws. You are also responsible for your secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including to securely backup or encrypt such data).

3. General Terms

3.1 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

3.2 Limitation of Liability. Each party’s liability, taken in aggregate, arising out of or related to this DPA (including any other data processing agreements between the parties), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Limitation of Liability section of the Agreement.

3.3 Governing Law. This DPA will be governed by and construed in accordance with the Governing Law section of the Agreement, unless required otherwise by Data Protection Laws.

Schedule A — Details of Processing

List of Parties

Description of Processing

Schedule B — Security Measures

IEP Assure will implement and maintain the security measures set out in this Schedule B. IEP Assure reserves the right to revise these security measures at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that IEP Assure processes in the course of providing the Services.

• Organizational management and staff responsible for the development, implementation and maintenance of IEP Assure’s information security controls. Executive leadership is involved in reviewing and approving all security policies.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to IEP Assure’s organization, monitoring compliance with IEP Assure’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
• Logical separation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.
• Personal Data is encrypted in transit using Transport Layer Security. TLS is active on all accounts by default and cannot be disabled by end users. Personal Data (including backups) is encrypted at rest with Advanced Encryption Standard (AES).
• Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
• User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems.
• Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.
• Incidents are handled in accordance with IEP Assure’s incident response plan. Designated personnel are responsible for managing the response process in accordance with the incident response plan, completing investigations, mitigation, and coordinating any external communications that may be necessary.
• IEP Assure implements vulnerability assessment and threat protection technologies and scheduled monitoring procedures to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
• Business continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.