Common use of Additional Statutory and Regulatory Obligations Clause in Contracts

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 518-581- 3518. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. EXHIBIT A (CONTINUED)

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third- party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Xxxxxxxx Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third- party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Xxxxxxxx Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. EXHIBIT [ A ] (CONTINUED) The Lowville Academy and Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student’s personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child’s education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/form/report-improper-discosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Subscription Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Subscription Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Subscription Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Subscription Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The District, in compliance with Education Law §2-d, provides the following: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Panama Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper- disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. EXHIBIT [A] (CONTINUED) The Pleasantville Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper- disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third- party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Xxxxxxxx Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 518-581- 3518. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and these Terms and Conditions. Vendor acknowledges and agrees to the terms of this Data Sharing and Confidentiality Agreementfollowing: (a) i. To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access to the Protected Data in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) ii. To not use Protected Data for any purposes other than those not explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attachedor these Terms and Conditions. (c) iii. To not disclose any Protected Data to any other party, except for authorized representatives employees, subcontractors, or assignees of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) a. the parent or eligible student has provided prior written consent; or (ii) b. the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) iv. To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) v. To use encryption technology to protect Protected Data in its custody while in motion or and at rest, using a technology or methodology specified or permitted by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) vi. To adopt technologies, safeguards and practices that align with the U.S. Department of Commerce National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, “NIST Cybersecurity Framework” (Version 1.1). (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) vii. To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xx. Xxxxxx Xxxxxx, Assistant Superintendent for Educational & Support Programs, by email: xxxxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor Provider acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from under the DistrictAgreements, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a material breach of the Master Agreement and the terms of this Data Sharing and Confidentiality AgreementAgreements: (a) To limit Limit internal access to Protected Data and education records to only those individuals that are determined to have a legitimate educational interest within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA). (b) Limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they ) and need access in order to assist Vendor Provider in fulfilling one or more of its obligations to the District Client under the Master AgreementAgreements. (bc) To not use education records or Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and under the Master Agreement to which this Exhibit is attachedAgreements. (cd) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Provider using the information to carry out Vendor’s Provider's obligations to the District Client and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute statute, or court order and notice of the disclosure is provided to the District Client no later than the time of disclosure, unless such notice notification is expressly prohibited by the statute or court order. (de) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (ef) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (fg) Where the student, teacher, or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including such data will be encrypted. (h) To adopt technologies, safeguards safeguards, and practices that align with the NIST Cybersecurity Framework. (gi) To comply with the District’s Client's policy on data security and privacy, Section 2-d and Part 121. (hj) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ik) To notify the DistrictClient, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality AgreementExhibit, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Provider or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Client's Xxxx of Rights for Data Security and Privacy, the District’s Client's policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitAgreements. (jl) To cooperate with the District Client and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (km) To pay for or promptly reimburse the District Client for the full cost of notification, in the event the District Client is required under Section 2-d to notify affected parents, students, teachers teachers, or principals of a breach or unauthorized release of Protected Data attributed to Vendor Provider or its subcontractors or assignees. The Cheektowaga-Xxxxx Union Free School Client is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the Client informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education records. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data- inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Cyber security Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The District, in compliance with Education Law §2-d, provides the following: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology TLS L1.2 or methodology specified by higher for data transmitted between the Secretary of District and Vendor and the U.S. Department of Health product over public networks; and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5AES 256 or stronger for data stored on Vendor’s servers. (f) To adopt technologies, safeguards and practices that align with is comparable to the NIST Cybersecurity Framework. Canva Pty Ltd meets the requirements of ISO 27001 for security and privacy measures. (g) To comply with the District’s policy on data security and privacy, Section 2-d 2d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the . The Arlington Central School District is required under committed to protecting the privacy and security of student data, as well as teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to notify affected parentsinspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, studentsand safeguards associated with industry standards and best practices, teachers including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or principals transferred. 4) A complete list of all student data elements collected by New York State is available electronically: Student Data Inventory. A request for the Student Data Inventory can also be made in writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing as follows: Xx. Xxxxxxx Xxxxxxxxxx Data Privacy Officer Arlington Central School District 000 Xxxx Xxxx Road LaGrangeville,NY 12540 or via email at xxxxxxxxxxx@xxxxxx.xxx or to Privacy Complaint, Chief Privacy Officer New York State Education Department 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000 Complaints may also be submitted using the Report an Improper Disclosure Form. 6) To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assigneestheir student’s PII occurs. 7) Educational agency workers that handle PII will receive training on applicable state and federal laws, the educational agency’s policies, and safeguards associated with industry standards and best practices that protect PII. 8) Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Subscription Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Subscription Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Subscription Agreement, unless: (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Subscription Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s 's obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s 's policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s 's Bill of Rights for Data Security and Privacy, the District’s 's policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student's personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student's name or identification number, parent's name, or address; and indirect identifiers such as a student's date of birth, which when linked to or combined with other information can be used to distinguish or trace a student's identity. Please see FERPA's regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student's education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education's Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student's identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Xxxxxx/Northern Westchester X.X.X.X.X.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. The District is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred. 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.xxxxx.xxx/data-privacy-security/student-data-inventory or by writing to the NYS Education Department, Information & Reporting Services, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to Data Privacy Officer, Xxxxx Xxxxxxx, xxxxxxxx@xxxxxxxxxxxxxxxxx.xxx, (914) 432- 8121, 00 Xxxxxx Xxxx, Briarcliff Manor, NY 10510. 6. The District has entered into contracts with certain third-party contractors (“TPC”) who have been sent personally identifiable student data as defined in 34 C.F.R. §99.3 and/or personally identifying teacher and/or principal data as defined by Education Law §3012-c(10). The following information about such contractors appears in such supplemental information to this document for each contract with a TPC, as required by law: ● The exclusive purposes for which the student or teacher or principal data will be used by the TPC, as defined in the contract; ● How the TPC will ensure that its subcontractors or other authorized individuals who will be in receipt of the data will abide by the applicable data privacy and security requirements of the federal and state laws and regulations (e.g., FERPA; Education Law §2-d); ● The duration of the contract that sets forth its expiration date and description of what will be done with the data upon the expiration of the contract (e.g. whether, when and in what format the data will be returned to the educational agency or destroyed); and ● If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the data that is collected.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third- party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. The District, in compliance with Education Law §2-d, provides the following: DEFINITIONS: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student. Teacher or Principal Data means personally identifiable information from District records relating to the annual professional performance reviews of classroom teachers or Principals that is confidential and not subject to release under the provisions of Education Law §§3012-c and 3012-d.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third- party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices to safeguard Protected Data that align with the NIST Cybersecurity Frameworkgood industry practices. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Xxxxxxxx Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Panama Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website http:// xxx.xxxxx.xxx/xxxxxxx-xxxx-xxxxxxx/xxxxxxx-xxxx-xxxxxxxxx or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper- disclosure.

Additional Statutory and Regulatory Obligations. Vendor Quizizz acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the School or District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement MasterAgreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor Quizizz in fulfilling one or more of its obligations to the School or District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Quizizz using the information to carry out VendorQuizizz’s obligations to the School or District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: : (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the School or District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use Use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the School or District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the School or District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Quizizz or its assignees or subcontractors in violation of applicable state or federal law, the School or District’s Bill Xxxx of Rights for Data Security and Privacy, the School or District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the School or District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the School or District for the full cost of notification, in the event the School or District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor Quizizz or its subcontractors or assignees. Quizizz and this New York School or School or District are committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the School or District informs the school community of the following: Parents and eligible students can expect the following: 1. A student's personally identifiable (PII) information cannot be sold or released for any commercial purposes. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. 3. State and federal laws, such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of personally identifiable information PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Contact at School or District: Xxxxx Xxxxxxxx by email: xxxxxxxxx@xxxxxxxxxxxxxxxxxxxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing via email. Complaints may also be submitted to NYSED online xxxxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit Supplement is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations regulations, and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, disclosure unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ih) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitSupplement. (ji) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (kj) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. ___________ In witness whereof, this Supplement is entered into by the Parties as of the date last signed by the parties below. Nearpod Inc. By: Name: Xxxx Xxxxxxx Title: Chief Executive Officer Date: 2/4/2021 District [Olean City School District] Digitally signed by Marc Friends DN: cn=Marc Friends, o=Olean City School District, ou, xxxxx=xxxxxxxx@xxxxxxxxxxxx.xxx, c=US By: Date: 2021.02.04 10:22:06 -05'00' Name: Marc Friends Title: Technology Coordinator Date: 2-4-21 Pursuant to New York State Education Law 2-d, Parents, Legal Guardians, and persons in parental relation to a student are entitled to certain rights regarding their child’s personally identifiable information, as defined by Education Law 2-d. This document contains a plain-English summary of such rights. 1. A student’s personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child’s educational records maintained by Olean City School District. 3. State and Federal Laws protect the confidentiality of personally identifiable student information, and safeguards associated with industry standards and best practices, including, but not limited to, encryption, firewalls, and password protection must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for review at the following website: xxxx://xxx.x00.xxxxx.xxx/irs/sirs/documentation/NYSEDstudentData.xlsx The list may also be made available by writing to: Office of Information & Reporting Services New York State Education Department Room 863 EBA, 00 Xxxxxxxxxx Xxxxxx Xxxxxx, XX 00000 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to: Olean City School District 000 X. Xxxxxxxx St. Olean, NY 14760 Email: XXX@XxxxxXxxxxxx.xxx OR Chief Privacy Officer New York State Education Department 00 Xxxxxxxxxx Xxxxxx, XX 000 Xxxxxx, XX 00000 Phone: (000) 000-0000 Email: Xxxxxxx@xxxxx.xxx 6. Each contract with a third-party contractor which will receive student data, or teacher or principal data will include information addressing the following: a. The exclusive purposes for which the student data or teacher or principal data will be used. b. How the third-party contractor will ensure that the subcontractors, persons, or entities that the third-party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements. c. When the agreement expires and what happens to the student data or teacher and principal data upon expiration of the agreement. d. If and how a parent, student, a student over eighteen years of age, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and e. Where the student data or teacher or principal data will be stored, and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under 1 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with respect third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to any Protected Data received from the District, and that any failure to fulfill one or more of include these statutory or and regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:within their third-party contracts. (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. ADDENDUM B (CONTINUED) PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Xxxxxx/Northern Westchester X.X.X.X.X.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes; 2. Parents have the right to inspect and review the complete contents of their child's education record; 3. The B.O.C.E.S. is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred; 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.x00.xxxxx.xxx/irs/vendors/templates.html or by writing to the NYS Education Department, Information & Reporting Services, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000;

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-2- d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality AgreementAddendum: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement Addendum and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality AgreementAddendum, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To Where a breach or unauthorized release of Protected Data occurs that is attributable to Vendor, to pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assigneesprincipals.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s 's obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s 's policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s 's Bill of Rights for Data Security and Privacy, the District’s 's policies on data security and 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. xxxxxxx@xxxx.xxx xxx.xxxx.xxx The Greater Amsterdam School District is committed to ensuring student privacy in accordance with local, state and federal regulations and district policies. To this end and pursuant to U.S. Department of Education (DOE) regulations (Education Law §2-d), the district is providing the following Parents' Bill of Rights for Data Privacy and Security: o A student's personally identifiable information cannot be sold or released for any commercial or marketing purposes. o Parents/guardians have the right to inspect and review the complete contents of their child's education record, including any student data maintained by the Greater Amsterdam School District. o State and federal laws protect the confidentiality of personally identifiable information and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls and password protection, must be in place when data is stored or transferred. o A complete list of all student data elements collected by the state is available for public review in an Excel file at xxxx://xxx.x00.xxxxx.xxx/irs/sirs/documentation/NYSEDstudentData.xlsx. o Parents/guardians may also obtain a copy of this list by writing to the Office of Information and Reporting Services, New York State Education Department, Room 863 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. o Parents have the right to have complaints about possible breaches ad unauthorized disclosures of student data. Complaints may be submitted by mail to Xxxx Xxxxxx, Chief Security Officer, Greater Amsterdam School District,000 Xxxxxxxx Xxx., Xxxxxxxxx XX 00000; by email to xxxxxxxxxxx@xxxx.xxx. Complaints may be submitted to NYSED online at xxx.xxxxx.xxx/xxxx- privacy-security or by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Ave., Albany NY 12234, by mail by xxxxxxx@xxxxx.xxx or by telephone at 000-000-0000. Name Xxxx X. Xxx Date 10/13/2020 Signature _ Company Name N_epris In_c. Product Name Nepris

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. EXHIBIT [ A ] (CONTINUED) The Lowville Academy and Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student’s personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child’s education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-discosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Valhalla Union Free School Xxxxxxxx.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes; 2. Parents have the right to inspect and review the complete contents of their child's education record; 3. The Xxxxxxxx.xx committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred; 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.x00.xxxxx.xxx/irs/vendors/templates.html or by writing to the NYS Education Department, Information & Reporting Services, Room 863 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000;

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third- party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 1211. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, Privacy or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Xxxxxxxx Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Pocantico Hills C.S.D. (“District”) has entered into a Master Agreement with , which governs the availability to the District of the following products or services. Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e.FERPA);i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. EXHIBIT A (CONTINUED)

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and or the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or; (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; or (iii) or as authorized by the Master Agreement. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To reasonably cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. EXHIBIT A (CONTINUED)

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit Supplement is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ih) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitSupplement. (ji) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (kj) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. In witness whereof, this Supplement is entered into by the Parties as of the date last signed by the parties below. Nearpod Inc. District Prattsburgh Central School District By: Name: Xxxxxxxx Xxxxx Title: CFO Date: 02 / 15 / 2023 By: _Xxxxxxxx XxXxxxxxx Name: Xxxxxxxx XxXxxxxxx Title: Data Protection Officer Assistant Date: 02/14/23 1. A student’s personally identifiable information (PII) cannot be sold or released for any Commercial or Marketing purpose. PII, as defined by Education Law § 2-d and 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to Parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, FERPA at 12 U.S.C. 1232g (34 CFR 4. Safeguards associated with industry standards and best practices including, but not limited to, encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx/xxxxxxx-xxxx-xxxxxxxxx and by writing to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234. 6. The right to have complaints about possible breaches and unauthorized disclosures of PII addressed. (i) Complaints may be submitted to

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. PARENTS XXXX OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Xxxxxx/Northern Westchester X.X.X.X.X.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. The District is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred. 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.xxxxx.xxx/data-privacy-security/student-data-inventory or by writing to the NYS Education Department, Information & Reporting Services, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to Data Privacy Officer, Xxxxx Xxxxxxx, xxxxxxxx@xxxxxxxxxxxxxxxxx.xxx, (914) 432- 8121, 00 Xxxxxx Xxxx, Briarcliff Manor, NY 10510. 6. The District has entered into contracts with certain third-party contractors (“TPC”) who have been sent personally identifiable student data as defined in 34 C.F.R. §99.3 and/or personally identifying teacher and/or principal data as defined by Education Law §3012-c(10). The following information about such contractors appears in such supplemental information to this document for each contract with a TPC, as required by law: ● The exclusive purposes for which the student or teacher or principal data will be used by the TPC, as defined in the contract; ● How the TPC will ensure that its subcontractors or other authorized individuals who will be in receipt of the data will abide by the applicable data privacy and security requirements of the federal and state laws and regulations (e.g., FERPA; Education Law §2-d); ● The duration of the contract that sets forth its expiration date and description of what will be done with the data upon the expiration of the contract (e.g. whether, when and in what format the data will be returned to the educational agency or destroyed); and ● If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the data that is collected.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Panama Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Pleasantville Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper- disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or knowingly facilitate its use or disclosure by any other party for any marketing or commercial purpose or knowingly permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. EXHIBIT A (CONTINUED) The Lowville Academy and Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student’s personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child’s education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/form/report-improper-discosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit Supplement is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ih) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitSupplement. (ji) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (kj) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. In Witness whereof this Supplement is accepted and agreed to by the parties as of the date signed below: Nearpod Inc. By: District: By: Xxxx Xxxxxxx, CEO Date: 10/2/2020 Name: Title: Date: Xxxxxx-Xxxxxxx Xxxxxx CEO 11/13/2020 Coney Island Prep, in recognition of the risk of identity theft and unwarranted invasion of privacy, affirms its commitment to safeguarding student personally identifiable information (PII) in educational records from unauthorized access or disclosure in accordance with State and Federal law. Coney Island Prep establishes the following parental xxxx of rights: Student PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with State and Federal Law. A student's personally identifiable information cannot be sold or released for any marketing or commercial purposes by the School or any third party contractor. The School will not sell student personally identifiable information and will not release it for marketing or commercial purposes, other than directory information released by the School in accordance with School policy. Parents have the right to inspect and review the complete contents of their child's education record, including portions of the record that are stored electronically, even when the record is maintained by a third-party contractor. State and federal laws, such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, protect the confidentiality of students’ personally identifiable information. Safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred. A complete list of all student data elements collected by the State Education Department is available for public review at xxxx://xxxxx.xxx.xxxx-xxxxxxx-xxxxxxxx or by writing to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000 Parents have the right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Complaints should be directed to the Data Protection Officer at xxxxxxxxxxx@xxxxxxxxxxxxxxx.xxx, by phone at 000-000-0000, or by mail to 000 Xxxxxx X, Xxxxxxxx, XX 00000. Complaints can also be directed to the New York State Education Department online at xxxx://xxxxx.xxx.xxxx-xxxxxxx-xxxxxxxx, by mail to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000 or by email to xxxxxxx@xxxx.xxxxx.xxx or by telephone at 0000-000-0000. Parents have the right to be notified in accordance to applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs. Parents can expect that all School employees who handle PII will receive annual training on applicable federal and state laws, regulations, the School’s policies and safeguards which will be in alignment with industry standards and best practices to protect PII. In the event that the School engages a third-party provider to deliver student educational services, the contractor or subcontractors will be obligated to adhere to State and Federal Laws to safeguard student PII. Parents can request information about third party contractors by contacting Data Protection Officer at xxxxxxxxxxx@xxxxxxxxxxxxxxx.xxx, by phone at 000-000-0000, or by mail to 000 Xxxxxx X, Xxxxxxxx, XX 00000 or can access the information on the School’s website. District has entered into a Master Agreement with Nearpod, which governs the availability to the District of the following products or services (check as applicable): X Nearpod ⃞ Flocabulary Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor Seesaw acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the School or District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor Seesaw in fulfilling one or more of its obligations to the School or District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Seesaw using the information to carry out VendorSeesaw’s obligations to the School or District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: : (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the School or District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use Use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the School or District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the School or District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Seesaw or its assignees or subcontractors in violation of applicable state or federal law, the School or District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the School or District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the School or District for the full cost of notification, in the event the School or District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor Seesaw or its subcontractors or assignees. Xxxxxx and this New York School or District are committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the School or District informs the school community of the following: Parents and eligible students can expect the following: 1. A student's personally identifiable (PII) information cannot be sold or released for any commercial purposes. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. 3. State and federal laws, such as NYS Education Law § 2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of personally identifiable information PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Contact at School or District: by email: , or by phone: . Complaints should be submitted in writing via email. Complaints may also be submitted to NYSED online xxxxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email xxxxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Subscription Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Subscription Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Subscription Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Subscription Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. **Please see attached Privacy Policy and Technology Safeguards from Vendor for a comprehensive view of our practices. The Xxxxx-Fultonville School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclos ure. Xxxxxx Xxxxxxxx VP, Operations 9/1/22 Supplemental Information about a Subscription Agreement between [Xxxxx-Fultonville Central School District] and [Xxxxx-Xxxxxx] [Xxxxx-Fultonville Central School District] has entered into a Subscription Agreement with [Xxxxx-Xxxxxx], which governs the availability to the District of the following products or services: [The Superkids Reading Program and all associated online resources] Pursuant to the Subscription Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. _Da_n_ie_l_Le_v_in Name (Print) _P_r_e_s_i_d_e_n_t Title _7_/9_/_2_0_2_0 Date Xxxxxx Central School District has entered into a Master Agreement with EDUCAIDE SOFTWARE which governs the availability to the District of the following products or services: Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”). purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit Supplement is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ih) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitSupplement. (ji) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (kj) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. In witness whereof, this Supplement is entered into by the Parties as of the date last signed by the parties below. Nearpod Inc. By: Name: Xxxx Xxxxxxx Title: Chief Executive Officer Date: 9/10/2021 District: Valley Stream District 30 By: Name: Xxxxxxxxxxx Xxxxxxx Title: Director of Technology Date: Sept. 2, 2021 000 Xxxxx Xxxxxxx Xxxxxx Valley Stream, NY 11580 xxx.xxxxxxxxxxxx00.xxx Pursuant to New York State Education Law §2-d, parents, legal guardians and persons in parental relation to a student are entitled to certain rights with regard to their child’s personally identifiable information, as defined by Education Law §2-d. This document contains a plain-English summary of such rights. 1. A student’s personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child’s educational records maintained by the Valley Stream Union Free School District Thirty. 3. State and Federal Laws protect the confidentiality of personally identifiable student information, and safeguards associated with industry standards and best practices, including, but not limited to, encryption, firewalls, and password protection must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for review at the following website: xxxx://xxx.x00.xxxxx.xxx/irs/sirs The list may also be made available by writing to: Office of Information & Reporting Services New York State Education Department Room 863 EBA, 00 Xxxxxxxxxx Xxxxxx Albany, NY 12234 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to: Valley Stream UFSD 30 Attn: Data Protection Officer 000 Xxxxxxxxxx Xxx Valley Stream, New York 11580 xxxxxxxx@xx00.xxx 000-000-0000 OR Chief Privacy Officer New York State Education Department 00 Xxxxxxxxxx Xxxxxx Albany, NY 12234 Email: XXX@xxxx.xxxxx.xxx 6. Each contract with a third-party contractor which will receive student data, or teacher or principal data will include information addressing the following: a. The exclusive purposes for which the student data or teacher or principal data will be used. b. How the third-party contractor will ensure that the subcontractors, persons or entities that the third-party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements. c. When the agreement expires and what happens to the student data or teacher and principal data upon expiration of the agreement. d. If and how a parent, student, a student over eighteen years of age, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and e. Where the student data or teacher or principal data will be stored, and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Xxxxxx/Northern Westchester X.X.X.X.X.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes; 2. Parents have the right to inspect and review the complete contents of their child's education record; 3. The B.O.C.E.S. is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred; 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.x00.xxxxx.xxx/irs/vendors/templates.html or by writing to the NYS Education Department, Information & Reporting Services, Room 863 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000;

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement and this Data Sharing and Confidentiality Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-55 and/or which aligns with the NIST Cybersecurity Framework. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacyprivacy terms set forth in this Data Sharing and Confidentiality Agreement, and Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To the extent legally permissible, to cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notificationnotification that the District is legally required to incur, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.assignees provided that such breach or unauthorized release was caused by Vendor’s breach of its obligations in this Data Sharing and Confidentiality Agreement. Contractor will use Protected Data to provide the following products and services (please check all that apply):

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Xxxxxx Central School District has entered into a Master Agreement with ExamGen, Inc., which governs the availability to the District of the following products or services: Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”). purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Panama Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper- disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (iii) Vendor may use de-identified information (which refers to personally identifiable information that has been removed or obscured from student records in a way that minimizes the risk of disclosure of the identity of the individual and information about them) for evaluation, research and development of educational products and services. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Frameworkindustry standards. (g) To comply with the District’s policy on data security and privacy, attached to this Master Agreement, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any confirmed data breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacyprivacy which are attached to this Master Agreement, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitAgreement. (j) To reasonably cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor Vendor’s or its subcontractors subcontractors’s or assignees’s negligence or omission.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Xxxxxx/Northern Westchester X.X.X.X.X.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes; 2. Parents have the right to inspect and review the complete contents of their child's education record; 3. The B.O.C.E.S. is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred; 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.x00.xxxxx.xxx/irs/vendors/templates.html or by writing to the NYS Education Department, Information & Reporting Services, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000;

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. EXHIBIT [A] (CONTINUED) The Pleasantville Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report- improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Privacy Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Privacy Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 6 of this Data Sharing and Confidentiality Privacy Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. This includes, for any breach that is attributable to Vendor, Vendor paying for or promptly reimbursing the District for the full cost of the district’s notification to Parents, Eligible Students, teachers, and/or principals, in accordance with Education Law Section 2-d and 8 NYCRR Part 121. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. Any costs incidental to the required cooperation or participation of Vendor or its Authorized Users, as related to such investigations, will be the sole responsibility of Vendor if such Breach is attributable to Vendor or its subcontractors. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Liberty Source, LP Signature 09/28/2022 Title Date Xxxxxx Central School District has entered into a Master Agreement with Liberty Source LP, which governs the availability to the District of the following products or services: The Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”). purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. PARENTS XXXX OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Xxxxxx/Northern Westchester X.X.X.X.X.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. The District is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred. 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.xxxxx.xxx/data-privacy-security/student-data-inventory or by writing to the NYS Education Department, Information & Reporting Services, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to Data Privacy Officer, Xxxxx Xxxxxxx, xxxxxxxx@xxxxxxxxxxxxxxxxx.xxx, (914) 432- 8121, 00 Xxxxxx Xxxx, Briarcliff Manor, NY 10510. 6. The District has entered into contracts with certain third-party contractors (“TPC”) who have been sent personally identifiable student data as defined in 34 C.F.R. §99.3 and/or personally identifying teacher and/or principal data as defined by Education Law §3012-c(10). The following information about such contractors appears in such supplemental information to this document for each contract with a TPC, as required by law: ● The exclusive purposes for which the student or teacher or principal data will be used by the TPC, as defined in the contract; ● How the TPC will ensure that its subcontractors or other authorized individuals who will be in receipt of the data will abide by the applicable data privacy and security requirements of the federal and state laws and regulations (e.g., FERPA; Education Law §2-d); ● The duration of the contract that sets forth its expiration date and description of what will be done with the data upon the expiration of the contract (e.g. whether, when and in what format the data will be returned to the educational agency or destroyed); and ● If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the data that is collected.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 7. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs. 8. Educational agency workers that handle PII will receive training on applicable state and federal laws, the educational agency’s policies, and safeguards associated with industry standards and best practices that protect PII. 9. Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements. F Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES and its subscribed school districts (see Exhibit B) has entered into a Master Agreement with Fanschool Inc , which governs the availability to the District of the following products or services: Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Name (Print) Xxxxxx Central School District has entered into a Master Agreement with PlanbookEdu LLC, which governs the availability to the District of the following products or services: Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”). purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents and eligible students1 can expect the following: 1. A student's personally identifiable (PII)2 information cannot be sold or released for any commercial purposes. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. 3. State and federal laws,3 such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of personally identifiable information PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xx. Xxxxxx Xxxxxx, Executive Director of Student Support Services by email: xxxxxxxx@xxxxxxxxxx.xxx, or by phone: 518-581- 3717. Complaints should be submitted in writing using the district form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx- security, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xx. Xxxxxxx Xxxxxxxxx-Rumley, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosuresoon as reasonably possible, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Cyber security Framework. (g) To comply with the District’s policy on data security and privacyNew York Education Law, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The District, in compliance with Education Law §2-d, provides the following: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 518-581- 3518. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 7. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs. 8. Educational agency workers that handle PII will receive training on applicable state and federal laws, the educational agency’s policies, and safeguards associated with industry standards and best practices that protect PII. 9. Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements. COO 04 / 11 / 2023 Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES and its subscribed school districts (see Exhibit B) has entered into a Master Agreement with Breakout, Inc., dba Breakout EDU, which governs the availability to the District of the following products or services: Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided promptly to the District no later than the time of disclosureDistrict, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so, provided, however, the parties recognize that the use of de-identified data, which contains no personally identifiable information, is needed by the Vendor to provide, evaluate, maintain and improve its services and products. The provisions of this Data Sharing and Confidentiality Agreement shall not be construed to restrict Vendor from maintaining or using de-identified data (including de-identified aggregated data). (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost reasonable costs of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assigneesVendor.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors or permitted assignees that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master AgreementAgreement and this Exhibit. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacyprivacy terms herein, Section 2-2- d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacyprivacy terms herein, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To the extent legally permissible, to cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notificationnotification that the District is legally required to incur, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assigneesassignees and to the extent that the breach or unauthorized release was caused by Vendor’s breach of its obligations in this Exhibit.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Notwithstanding anything in this Data Sharing and Confidentiality Agreement to the contrary, de-identified information may be used by the Provider for the purposes of development, research, and improvement of educational sites, services, or applications, as any other member of the public or party would be able to use de-identified data pursuant to 34 CFR 99.31(b). EXHIBIT [ A ](CONTINUED) The Lowville Academy and Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student’s personally identifiable information cannot be sold or released for any commercialpurposes. 2. Parents have the right to inspect and review the complete contents of their child’s education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/form/report-improper-discosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full actual cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. EXHIBIT A (CONTINUED)

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit Supplement is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ih) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitSupplement. (ji) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (kj) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The District, in compliance with Education Law §2-d, provides the following: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. EXHIBIT [A] (CONTINUED) The Pleasantville Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report- improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor Quizizz acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the School or District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement MasterAgreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor Xxxxxxx in fulfilling one or more of its obligations to the School or District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Quizizz using the information to carry out VendorQuizizz’s obligations to the School or District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: : (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the School or District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use Use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the School or District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the School or District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Quizizz or its assignees or subcontractors in violation of applicable state or federal law, the School or District’s Bill of Rights for Data Security and Privacy, the School or District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the School or District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the School or District for the full cost of notification, in the event the School or District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor Quizizz or its subcontractors or assignees. Quizizz and this New York School or School or District are committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the School or District informs the school community of the following: Parents and eligible students can expect the following: 1. A student's personally identifiable (PII) information cannot be sold or released for any commercial purposes. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. 3. State and federal laws, such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of personally identifiable information PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Contact at School or District: Xxxxxx Xxxxxxx by email: xxxxxxxxxxx@xxxxxxxxx.xxx , or by phone: 000-000-0000 . Complaints should be submitted in writing via email. Complaints may also be submitted to NYSED online xxxxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, disclosure unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost all reasonable costs incurred by the District of notification, in the event notifications the District is required to make under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The District shall consult with Vendor prior to providing the required notification, so long as it such consultation does not unreasonably delay the required notification. EXHIBIT [A] The Pleasantville Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under 1 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with respect third- party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to any Protected Data received from the District, and that any failure to fulfill one or more of include these statutory or and regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:within their third-party contracts. (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacyprivacy as provided to Vendor, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of as required by applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and law this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Xxxxxxxx Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 000 XXX, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Bloomfield Central School District has entered into a Master Agreement with Tools for Schools which governs the availability to the District of the following products or services: Student and Teacher Book Creator, Tools for Schools Accounts Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. Without prejudice to the foregoing, users with teacher accounts may receive marketing communications if express consent has been given in that sense. Such communications may be enabled or disabled at any time through the teacher’s account settings page. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.

Additional Statutory and Regulatory Obligations. Vendor Seesaw acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the School or District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor Seesaw in fulfilling one or more of its obligations to the School or District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Seesaw using the information to carry out VendorSeesaw’s obligations to the School or District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: : (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the School or District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use Use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the School or District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the School or District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Seesaw or its assignees or subcontractors in violation of applicable state or federal law, the School or District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the School or District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the School or District for the full cost of notification, in the event the School or District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor Seesaw or its subcontractors or assignees. Seesaw and this New York School or District are committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the School or District informs the school community of the following: Parents and eligible students can expect the following: 1. A student's personally identifiable (PII) information cannot be sold or released for any commercial purposes. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. 3. State and federal laws, such as NYS Education Law § 2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of personally identifiable information PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Contact at School or District: Xxxx Xxxxx, Data Privacy Officer by email: xxx@xxxxxxxxxxx.xxx , or by phone: 000-000-0000 . Complaints should be submitted in writing via email. Complaints may also be submitted to NYSED online xxxxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email xxxxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000- 0000000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Exhibit [ A ] (continued) The Lowville Academy and Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1. A student’s personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child’s education record. 3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data- privacy/form/report-improper-discosure.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Xxxxx Xxxxx Xxxxxx Central School District has entered into a Master Agreement with Class Solver LLC, which governs the availability to the District of the following products or services: Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”). purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement subscription agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreementsubscription agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement subscription agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreementsubscription agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement subscription agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Schodack Central School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report-improper-disclosure. 6) The Data Protection Officer for the District is Xxx Xxx, Schodack CSD, 0000 Xxxxx Xxxxxxxx Xx, Xxxxxxxxx, XX 00000; xxxx@xxxxxxxxxxx.xxx Founder & Exec. Chairman Schodack Central School District has entered into a subscription agreement with LinkIt, which governs the availability to the District of the following products or services: Pursuant to the subscription agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. To the extent applicable to provide Cloud Services, Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and standard industry practices that align with such as the NIST Cybersecurity FrameworkFramework or similar standards. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 518-581- 3518. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology TLS L1.2 or methodology specified by higher for data transmitted between the Secretary of District and Vendor and the U.S. Department of Health product over public networks; and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5AES 256 or stronger for data stored on Vendor’s servers. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Frameworkrequirements of ISO 27001. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full reasonable cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees’ violation of applicable privacy laws.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. Xxxxxx Xxxxxxxx Supplemental Information about a Master Agreement between Xxxxxx Central School District and 3P Learning Xxxxxx Central School District has entered into a Master Agreement with 3P Learning, which governs the availability to the District of the following products or services: Math Seeds Reading Eggs Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”). purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacyprivacy as provided to Vendor, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of as required by applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacyprivacy (as notified in writing to Vendor prior to the date hereof), or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. The Briarcliff Manor XXXX.xx committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below: 1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 2. Parents have the right to inspect and review the complete contents of their child's education record. 3. The District is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred. 4. A complete list of all student data elements collected by the State is available for public review at xxxx://xxx.xxxxx.xxx/data-privacy-security/student-data-inventory or by writing to the NYS Education Department, Information & Reporting Services, Room 863 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000. 5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to Data Privacy Officer, Xxxxx Xxxxxxx, xxxxxxxx@xxxxxxxxxxxxxxxxx.xxx, (914) 432- 8121, 00 Xxxxxx Xxxx, Briarcliff Manor, NY 10510. 6. The District has entered into contracts with certain third-party contractors (“TPC”) who have been sent personally identifiable student data as defined in 34 C.F.R. §99.3 and/or personally identifying teacher and/or principal data as defined by Education Law §3012-c(10). The following information about such contractors appears in such supplemental information to this document for each contract with a TPC, as required by law: ● The exclusive purposes for which the student or teacher or principal data will be used by the TPC, as defined in the contract; ● How the TPC will ensure that its subcontractors or other authorized individuals who will be in receipt of the data will abide by the applicable data privacy and security requirements of the federal and state laws and regulations (e.g., FERPA; Education Law §2-d); ● The duration of the contract that sets forth its expiration date and description of what will be done with the data upon the expiration of the contract (e.g. whether, when and in what format the data will be returned to the educational agency or destroyed); and ● If and how a parent, eligible student, teacher or principal may challenge the accuracy of the data that is collected. 7. Educational agency workers that handle personally identifiable information will receive training on applicable state and federal laws, the educational agency’s policies, and safeguards associated with industry standards and best practices that protect such information. 8. Agreements with third-party contractors/consultants will ensure that the subcontractors, persons or entities that the third-party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements. 9. A parent, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected by filing a written request with the District Superintendent of Schools or his administrative designee, Xxxxx Xxxxxxx, Director of Technology, xxxxxxxx@xxxxxxxxxxxxxxxxx.xxx See Scholastic’s current list of digital education products at xxx.xxxxxxxxxx.xxx/xxxxxxxxxxxxx.xxx Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor may receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).

Additional Statutory and Regulatory Obligations. Vendor Quizizz acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the School or District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement MasterAgreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor Xxxxxxx in fulfilling one or more of its obligations to the School or District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Quizizz using the information to carry out VendorQuizizz’s obligations to the School or District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: : (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the School or District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use Use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the School or District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the School or District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Quizizz or its assignees or subcontractors in violation of applicable state or federal law, the School or District’s Bill of Rights for Data Security and Privacy, the School or District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the School or District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the School or District for the full cost of notification, in the event the School or District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor Quizizz or its subcontractors or assignees. Quizizz and this New York School or School or District are committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the School or District informs the school community of the following: Parents and eligible students can expect the following: 1. A student's personally identifiable (PII) information cannot be sold or released for any commercial purposes. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. 3. State and federal laws, such as NYS Education Law §2-d and the Family Educational Rights and Privacy Act, that protect the confidentiality of personally identifiable information PII, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Contact at School or District: Xxxxx Xxxxxxx by email: xxxxxxxx@xxxxxxxxxxxxxxxxx.xxx , or by phone: (000) 000-0000 . Complaints should be submitted in writing via email. Complaints may also be submitted to NYSED online xxxxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000. 6. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless:: 1 Nothing in Education Law Section 2-d or Part 121 specifically requires an educational agency to include within its contracts with third-party contractors this list of obligations that are imposed on third-party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a best practice to include these statutory and regulatory obligations within their third-party contracts. (i) the parent or eligible student has provided prior written consent; or or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. Grand Island Central School District has entered into a Master Agreement with

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.. EXHIBIT A (CONTINUED)

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Washington-Saratoga-Xxxxxx-Xxxxxxxx-Essex BOCES is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: Parents (including legal guardians or persons in parental relationships) and Eligible Students (students 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition. 2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student. 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available for public review at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, and by writing to the Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of student data addressed. ○ Contact WSWHE BOCES Data Protection Officer: Xxxxxx Xxxxxxxxx-Xxxxxx, Director for Data Privacy & Professional Learning, by email: xxxxxxxxxx-xxxxxx@xxxxxxxxxx.xxx, or by phone: 000-000-0000. Complaints should be submitted in writing using the form that is available on the BOCES website and in the BOCES offices. ○ Complaints may also be submitted to NYSED online at xxx.xxxxx.xxx/xxxx-xxxxxxx-xxxxxxxx, by mail to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000, by email to xxxxxxx@xxxxx.xxx, or by telephone at 000-000-0000.

Additional Statutory and Regulatory Obligations. Vendor Provider acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from under the DistrictAgreements, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a material breach of the Master Agreement and the terms of this Data Sharing and Confidentiality AgreementAgreements: (a) To limit Limit internal access to Protected Data and education records to only those individuals that are determined to have a legitimate educational interest within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA). (b) Limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they ) and need access in order to assist Vendor Provider in fulfilling one or more of its obligations to the District Client under the Master AgreementAgreements. (bc) To not use education records or Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and under the Master Agreement to which this Exhibit is attachedAgreements. (cd) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor Provider using the information to carry out Vendor’s Provider's obligations to the District Client and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute statute, or court order and notice of the disclosure is provided to the District Client no later than the time of disclosure, unless such notice notification is expressly prohibited by the statute or court order. (de) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (ef) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (fg) Where the student, teacher, or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including such data will be encrypted. (h) To adopt technologies, safeguards safeguards, and practices that align with the NIST Cybersecurity Framework. (gi) To comply with the District’s Client's policy on data security and privacy, Section 2-d and Part 121. (hj) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (ik) To notify the DistrictClient, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality AgreementExhibit, of any breach of security resulting in an unauthorized release of Protected Data by Vendor Provider or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Client's Xxxx of Rights for Data Security and Privacy, the District’s Client's policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this ExhibitAgreements. (jl) To cooperate with the District Client and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (km) To pay for or promptly reimburse the District Client for the full cost of notification, in the event the District Client is required under Section 2-d to notify affected parents, students, teachers teachers, or principals of a breach or unauthorized release of Protected Data attributed to Vendor Provider or its subcontractors or assignees. The Cheektowaga-Xxxxx Union Free School Client is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the Client informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education records. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill Xxxx of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees. The Pleasantville Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 1) A student's personally identifiable information cannot be sold or released for any commercial purposes. 2) Parents have the right to inspect and review the complete contents of their child's education record. 3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 4) A complete list of all student data elements collected by New York State is available for public review at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. 5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, Xxx Xxxx 00000. Complaints may also be submitted using the form available at the following website xxxx://xxx.xxxxx.xxx/student-data-privacy/form/report- improper-disclosure.