Common use of Additional Vendor Responsibilities Clause in Contracts

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and any a. Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.d. Dated:

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii2) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven (7) calendar days after the discovery of the breach; and g. and Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full reasonable cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.d. BOCES will reasonably consult, cooperate, and coordinate with Vendor in connection with such notifications.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.d. Dated: For the Xxxxxxxxx-Xxxxx BOCES **Capstone does not collect any student data or PII. PURPOSE DETAILS The exclusive purpose for which Vendor is being provided access to Protected Information is to provide the product or services that are the subject of this Contract to BOCES. The product or services are used to provide [e.g., mathematics instruction in Grades 1 and 2]. SUBCONTRACTOR DETAILS Vendor represents that it will only share Protected Information with subcontractors if those subcontractors are contractually bound to observe the same obligations to maintain the privacy and security of Protected Information as are required of Vendor under this Contract and all applicable New York State and federal laws.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-55 , Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.d. Signatures For Geneseo Central School District For [Vendor Name] Superintendent of Schools Date: Date: Attachment A - Parents' Bill of Rights for Data Security and Privacy Parents (includes legal guardians or persons in parental relationships) and Eligible Students (student 18 years and older) can expect the following: 1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or 2. The right to inspect and review the complete contents of the student’s education record stored or 3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information. 4. Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred. 5. A complete list of all student data elements collected by NYSED is available at xxxx://xxx.xxxxx.xxx/common/nysed/files/programs/data-privacy-security/inventory-of-data-elements- collected-by-nysed_0.pdf and by writing to: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000. 6. The right to have complaints about possible breaches and unauthorized disclosures of PII addressed. Complaints should initially be submitted to Xxxx Xxxx (xxxxxxxx@xxxxxxxxxx.xxx) using this form: xxxxx://xxxx.xxxxxx.xxx/forms/d/e/1FAIpQLSe9VL1RPRA805owYfnkY6AQP6IbgjhBVte3dl6lDjJAWoxzPQ/ viewform. This form will be routed to our Data Privacy Officer who will initiate an investigation into the complaint and will contact you to alert you of next steps. The complaint can also be mailed to the NYSED Data Breach Office at: Chief Privacy Officer, New York State Education Department, 00 Xxxxxxxxxx Xxxxxx, Xxxxxx, XX 00000; by email to xxxxxxx@xxxxx.xxx; or by telephone at 518-474- 0937. 7. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs. 8. Educational agency workers that handle PII will receive training on applicable state and federal laws, 9. Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contractc ontract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT unless (i) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven (7) calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.d. For Alexandria Central School District For EDpuzzle Inc. Date: 11/30/2020 For Alexandria Central School District For EDpuzzle Inc. Date: 11/30/2020 CONTRACTOR EDpuzzle Inc. PRODUCT Edpuzzle instructional software PURPOSE DETAILS The exclusive purpose for which Vendor is being provided access to Protected Information is to provide the product or services that are the subject of this Contract to DISTRICT. SUBCONTRACT OR DETAILS Vendor represents that it will only share Protected Information with subcontractors if those subcontractors are contractually bound to observe obligations to maintain the privacy and security of Protected Information consistent with those that are required of Vendor under this Contract and all applicable New York State and federal laws. DATA DESTRUCTION INFORMATION The agreement expires August 31, 2021 , unless either party gives notice to terminate. Upon expiration of this Contract without a successor agreement in place and written request by the DISTRICT, Vendor shall assist DISTRICT in exporting all Protected Information previously received from, or then owned by, DISTRICT, to the extent such export is feasible. Vendor shall thereafter, upon request by the DISTRICT, securely delete and overwrite any and all Protected Information remaining in the possession of Vendor or its assignees or subcontractors (including all hard copies, archived copies, electronic versions or electronic imaging of hard copies of shared data) as well as any and all Protected Information maintained on behalf of Vendor in secure data center facilities. Vendor shall ensure that no copy, summary or extract of the Protected Information or any related work papers are retained on any storage medium whatsoever by Vendor, its subcontractors or assignees, or the aforementioned secure data center facilities. Without prejudice to any of the foregoing, Vendor may retain backups of data for a term up to thirteen (13) months since terminatio of the agreement and/or the service, provided the terms of the agreement and this addendum shall continue to apply so long the Vendor retains Protected Information in its possession. DATA ACCURACY INFORMATION In the event that a parent, student, or eligible student wishes to challenge the accuracy of Protected Information that qualifies as student data for purposes of Education Law Section 2-d, that challenge shall be processed through the procedures provided by the DISTRICT for amendment of education records under the Family Education Rights and Privacy Act. SECURITY PRACTICES The data is stored in the continental United States (CONUS) or Canada. Notwithstanding the foregoing, user-generated content (which may or may not include Protected Data) may be temporarily copied and stored in other countries in order for Vendor to provide a better service. Concretely, uploaded videos, audios or images may have a copy temporarily stored in other regions to reduce the time of load Vendor will maintain administrative, technical, and physical safeguards that equal industry best practices including, but not necessarily limited to, disk encryption, file encryption, firewalls, and password protection, and that align with the NIST Cybersecurity Framework 1.0. Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2). ATTACHMENT B – DISTRICT POLICY xxxxx://xxxx.xxxxxx.xxx/document/d/1bL4-Pi2rXvSpPRQ187ca2cDYDnBMD8PL6hIX- 8RPUYM/edit?usp=sharing The DISTRICT Parents Bill of Rights for Data Privacy Security, a signed copy of which is included as Attachment B to this Addendum, is incorporated into and made a part of this Data Security and Privacy Plan. The technical and organizational measures provided in this Data Privacy and Security Plan and Supplemental Information (hereinafter, “DPSP”) apply to EDpuzzle, Inc. (hereinafter, “Edpuzzle”) in the processing of Personally Identifiable Information (“PII”) that is the subject matter of the Agreement entered into with Alexandria Central School (“District”) on _1_2 /_0_2 / _2_0_2_0 (the “Agreement”), including any underlying applications, platforms, and infrastructure components operated and managed by Edpuzzle in providing its services.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible promptly and without unreasonable delay but no more than seven ten calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.d. Dated:

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 14.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 14.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 14.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 14.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 14.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 14.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of Protected Information that is student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 14.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.d. Dated: 5/31/2023 For the Xxxxxxxxx-Xxxxx BOCES PURPOSE DETAILS The exclusive purpose for which Vendor is being provided access to Protected Information is to provide the product or services that are the subject of this Contract to BOCES. The product or services are used to provide See Attachment D . SUBCONTRACTOR DETAILS Vendor represents that it will only share Protected Information with subcontractors if those subcontractors are contractually bound to observe the same obligations to maintain the privacy and security of Protected Information as are required of Vendor under this Contract and all applicable New York State and federal laws. DATA DESTRUCTION INFORMATION The agreement expires See Attachment D . Upon expiration of this Contract without a successor agreement in place, upon request of BOCES, Vendor shall assist BOCES in exporting all Protected Information previously received from, or then owned by, BOCES. Vendor shall thereafter securely delete and overwrite any and all Protected Information remaining in the possession of Vendor or its assignees or subcontractors (including all hard copies, archived copies, electronic versions or electronic imaging of hard copies of shared data) as well as any and all Protected Information maintained on behalf of Vendor in secure data center facilities. Vendor shall ensure that no copy, summary or extract of the Protected Information or any related work papers are retained on any storage medium whatsoever by Vendor, its subcontractors or assignees, or the aforementioned secure data center facilities. DATA ACCURACY INFORMATION In the event that a parent, student, or eligible student wishes to challenge the accuracy of Protected Information that qualifies as student data for purposes of Education Law Dated: 5/31/2023 For the Xxxxxxxxx-Xxxxx BOCES For the Vendor XXXXXXXXX • XXXXX • XXXXXXXX • HERKIMER • ONEIDA BOARD OF COOPERATIVE EDUCATIONAL SERVICES 8 | P a g e Pursuant to New York State Education Law §2-d, parents, legal guardians and persons in parental relation to a student, as well as eligible students, defined as those students who are eighteen years or older, are entitled to certain rights with regard to their child’s personally identifiable information (PII), as defined by Education Law §2-x. Xxxxxxxxx-Xxxxx BOCES Policy 6001 contains a plain- English summary of such rights. Vendor specifically acknowledges receipt of Parents’ Bill of Rights for Data Privacy and Security and BOCES Data Security Policy, which are attached hereto, and understands its legal obligations as provided therein. Dated: 5/31/2023 For the Xxxxxxxxx-Xxxxx BOCES For the Vendor The BOCES Parents Bill of Rights for Data Privacy Security, receipt of which is acknowledged as Attachment B to this Addendum, is incorporated into and made a part of this Data Security and Privacy Plan. Dated: 5/31/2023 For the Xxxxxxxxx-Xxxxx BOCES For the Vendor PERSONNEL 4243

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors and third-party service providers that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor including employees, subcontractors, and third-party service providers using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and any a. Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.d provided that Vendor's aggregate liability hereunder shall not otherwise exceed the limitation of liability provisions in the Master Agreement.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT BOCES unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT BOCES no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT BOCES of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT BOCES for the full cost incurred by DISTRICT BOCES to send notifications required by Education Law Section 2-d.d. Dated: the Vendor For the Xxxxxxxxx-Xxxxx BOCES PURPOSE DETAILS The exclusive purpose for which Vendor is being provided access to Protected Information is to provide the product or services that are the subject of this Contract to BOCES. The product or services are used to provide [e.g., mathematics instruction in Grades 1 and 2]. SUBCONTRACTOR DETAILS Vendor represents that it will only share Protected Information with subcontractors if those subcontractors are contractually bound to observe the same obligations to maintain the privacy and security of Protected Information as are required of Vendor under this Contract and all applicable New York State and federal laws.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations may subject the vendor to a monetary civil penalty and shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT District unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT the District no later less than the time of three (3) business day prior to disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT District of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven (7) calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT the District for the full cost incurred by DISTRICT the District to send notifications required by Education Law Section 2-d.d. For the Xxxxx Creek Central School District Date: 11 / 24 / 2020 For the Vendor Date: 12 / 07 / 2020 PURPOSE DETAILS The exclusive purpose for which Vendor is being provided access to Protected Information is to provide the product or services that are the subject of this Contract to the District, the “Edpuzzle Service”. Edpuzzle is an instructional software accessible through Edpuzzle’s website (xxx.xxxxxxxx.xxx), student mobile applications (iOS and Android) and, eventually, through the compatible learning Management System(s) (LMS) with which Edpuzzle may be integrated with, such as, but not limited to, Canvas, Blackbaud or Moodle. Student and Teacher Data will be used by Edpuzzle for the following limited purposes: a) to create the necessary accounts to use the Service (student accounts); b) to provide teachers with analytics on student progress; c) to send teachers email updates, if applicable; d) to help teachers connect with other teachers from the same school or district; e) to assess the quality of the Service; f) to secure and safeguard personal information of other data subjects; to comply with all applicable laws on the protection of personal information. SUBCONTRACTOR DETAILS Vendor represents that it will only share Protected Information with subcontractors if those subcontractors are contractually bound to observe obligations to maintain the privacy and security of Protected Information that are consistent with those required of Vendor under this Contract and all applicable New York State and United States federal laws. DATA DESTRUCTION The agreement expires upon expiration of the underlying contract. Upon expiration of this Contract without a successor agreement in INFORMATION place, and written request by the District, Vendor shall assist the District in exporting Protected Information previously received from, or then owned by, the District, unless such export proves to be technologically unfeasible, incompatible with the Product or involves a disproportionate effort for the Vendor, as outlined in this Addendum. Where transfer or return of Protected Information is not feasible, Vendor shall proceed to deletion of Protected Information as described in article 10.3 of this Addendum. Vendor shall, upon request by the District, securely delete and overwrite any and all Protected Information remaining in the possession of Vendor or its assignees or subcontractors (including all hard copies, archived copies, electronic versions or electronic imaging of hard copies of shared data) as well as any and all Protected Information maintained on behalf of Vendor in secure data center facilities. In the absence of request, Vendor will proceed to securely delete Protected Information after eighteen (18) months of end-user account inactivity. Vendor shall ensure that, except for backups of Protected Information that are part of Vendor´s disaster recovery storage system, no copy, summary or extract of the Protected Information or any related work papers are retained on any storage medium whatsoever by Vendor, its subcontractors or assignees, or the aforementioned secure data center facilities. In regard to the foregoing, Vendor may retain backups of Protected Information that is stored as part of a disaster recovery storage system that is (a) inaccessible to the public, and (b) unable to be used in the normal course of business by the Vendor. Vendor shall keep copies of student data for a period not exceeding thirteen (13) months from the day of their creation DATA ACCURACY INFORMATION In the event that a parent, student, or eligible student wishes to challenge the accuracy of Protected Information that qualifies as student data for purposes of Education Law For the Xxxxx Creek Central District Date: 11 / 24 / 2020 For the Vendor Date: 12 / 07 / 2020 Pursuant to New York State Education Law §2-d, parents, legal guardians and persons in parental relation to a student, as well as eligible students, defined as those students who are eighteen years or older, are entitled to certain rights with regard to their child’s personally identifiable information (PII), as defined by Education Law §2-d. The Xxxxx Creek Central School District Policy contains a plain-English summary of such rights. Vendor specifically acknowledges receipt of Parents’ Bill of Rights for Data Privacy and Security and District Data Security Policy, which are attached hereto, and understands its legal obligations as provided therein. For the Xxxxx Creek Central School District Date: 11 / 24 / 2020 For the Vendor Date: 12 / 07 / 2020 The District Parents Bill of Rights for Data Privacy Security, receipt of which is acknowledged as Attachment B to this Addendum, is incorporated into and made a part of this Data Security and Privacy Plan. EDpuzzle, Inc. 000 Xxxxxx Xx. (Xxxxx 000) Xxx Xxxxxxxxx, XX 00000 xxxxxxx@xxxxxxxx.xxx The technical and organizational measures provided in this Data Privacy and Security Plan and Supplemental Information (hereinafter, “DPSP”) apply to EDpuzzle, Inc. (hereinafter, “Edpuzzle”) in the processing of Personally Identifiable Information (“PII”) that is the subject matter of the Agreement entered into with Xxxxx Creek Central School District (“District”) on 12 / 07 / 2020 (the “Agreement”), including any underlying applications, platforms, and infrastructure components operated and managed by Edpuzzle in providing its services.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and any a. Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted servicesservices and/or in accordance with Contractor’s data briefs located at: xxxxx://xxx.xxxxx.xxx/c/en/us/about/trust-center/data-management.html and any applicable Contractor privacy data sheets; b. Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS as provided in guidance issued under P.L. 111-5, Section 13402(H)(2)Contractor’s privacy data sheets; f. Vendor will notify the DISTRICT of any con fi rm ed breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy dataprivacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost costs incurred by DISTRICT to send notifications required by Education Law Section 2-d.d up to $100,000.00.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-55 , Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology TLS L1.2 or methodology specified by higher for data transmitted between the secretary of District and Vendor and the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2)product over public networks; and AES 256 or stronger for data stored on Vendor’s server; f. Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of applicable state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. Where a breach or unauthorized disclosure of Protected Information is attributed to a violation of applicable privacy laws by the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full reasonable cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's obligations under this Contract or to the DISTRICT unless (i) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.

Additional Vendor Responsibilities. Vendor acknowledges that under Education Law Section 2-d and related regulations it has the following obligations with respect to any Protected Information, and anyany failure to fulfill one of these statutory obligations shall be a breach of this Contract: a. 13.1 Vendor shall limit internal access to Protected Information to those individuals and Assignees or subcontractors that need access to provide the contracted services; b. 13.2 Vendor will not use Protected Information for any purpose other than those explicitly authorized in this Contract; c. 13.3 Vendor will not disclose any Protected Information to any party who is not an authorized representative of the Vendor using the information to carry out Vendor's ’s obligations under this Contract or to the DISTRICT unless (i1) Vendor has the prior written consent of the parent or eligible student to disclose the information to that party, or (ii) the disclosure is required by statute or court order, and notice of the disclosure is provided to DISTRICT no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order; d. 13.4 Vendor will maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Information in its custody; e. 13.5 Vendor will use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the U S. Department of HHS in guidance issued under P.L. 111-5, Section 13402(H)(2); f. 13.6 Vendor will notify the DISTRICT of any breach of security resulting in an unauthorized release of student data by the Vendor or its Assignees in violation of state or federal law, or of contractual obligations relating to data privacy and security in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of the breach; and g. 13.7 Where a breach or unauthorized disclosure of Protected Information is attributed to the Vendor, the Vendor shall pay for or promptly reimburse DISTRICT for the full cost incurred by DISTRICT to send notifications required by Education Law Section 2-d.d. For New Hartford Central School District For Carolina Biological Supply Company President of the Board of Education Xxxxx Xxxxxx Vice President Date: Date: August 10, 2020