Common use of Data Security and Privacy Plan Clause in Contracts

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere to the following security and disaster recovery practices: • All web-based services and RESTful API calls use TLS 1.2 security. • All personally identifiable information stored in MySQL is encrypted at rest using InnoDB tablespace encryption. • ARC digital products offer access for teachers, school administrators, and district administrators as identified by the district. Users in each of those security groups have access to only those student records in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryption. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encrypted, and transferred securely to ARC’s headquarters. • All employees who might require access to secure data are provided with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use of encryption and restricted access to physical devices, Microsoft does not have access to district data in any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • (000) 000-0000 • Security Information for the Microsoft Azure platform, including attestations for NIST, SOC2, and other compliance offerings, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • Data stored in ARC digital products remains the property of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administration.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. DocuSign Envelope ID: CE92A43D-9253-440E-9F2E-63D3C5309765 (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere Security Measures Kahoot! recognizes Customer information and data as the most critical aspect and important success factor in our business. Having our Customers trust in our handling of their data is crucial to drive Kahoot! forward as the leading learning platform vendor. To ensure the data is secure we at Kahoot! have implemented a set of safeguards and processes covering all parts of the data journey. In addition, with new features and opportunities in our learning platform continuously being added, we are driven by clear policies, principles and procedures to ensure data stays secure. Kahoot! have implemented and maintains the following security controls for customer and disaster recovery user data, consistent with globally cloud service provider industry best practices: • All web-based services , including: 1. Controls, Policies & Procedures. Appropriate technical and RESTful API calls use TLS 1.2 security. • All personally identifiable information stored in MySQL is encrypted at rest using InnoDB tablespace encryption. • ARC digital products offer access for teachers, school administratorsadministrative controls, and district administrators organizational policies and procedures. 2. Named person in the role as identified by the district. Users a dedicated Chief information security officer (CISO) with focus on security in each of those security groups have access to only those student records in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryption. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encrypted, and transferred securely to ARC’s headquarters. • All employees who might require access to secure data are provided with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use of encryption and restricted access to physical devices, Microsoft does not have access to district data in any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • (000) 000-0000 • Security Information for the Microsoft Azure platform, including attestations for NIST, SOC2, and other compliance offerings, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • Data stored in ARC digital products remains the property areas of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administrationKahoot! business.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all applicable state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. . (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere xxxxx://xxx.xxxxxxxx.xxx/about/privacy_policy/ We strive to the following maintain security policies and disaster recovery practices: • All web-based services and RESTful API calls use TLS 1.2 securityprocedures that are designed to protect your information. • All personally identifiable information stored Our servers are located in MySQL is encrypted at rest using InnoDB tablespace encryption. • ARC digital products offer access for teachersa secured, school administratorslocked, and district administrators as identified monitored environment to prevent unauthorized entry or theft, and are protected by a firewall. The servers are located in a data center in the United States and backed up daily to a secure, U.S.-based, off-site data center. We take extra measures to ensure the safety of PII and Student Records and apply a Secure Sockets Layer (SSL or HTTPS) encrypting technology to establish and ensure that all data passed between the server and the browser remains encrypted. Governance policies and access controls are in place to ensure that the information of each district, school, or other subscriber is separated, and all subscribers can only access their own data. Users in each of those security groups Only limited BrainPOP personnel have access to only those student records in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryption. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encrypteddatabase, and transferred securely personnel only access it when necessary to ARC’s headquartersprovide services. • All employees who might require Personnel with access to secure data are provided Student Records pass criminal background checks and undergo periodic privacy training. We follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all applicable servers, and we audit our practices at least once a year. (c) Vendor will comply with training all obligations set forth in safe-handling procedures. ARC digital products are hosted on Erie 1 BOCES’ “Supplemental Information about the Microsoft Azure cloud platform. Through the use MLSA” below. (d) For any of encryption and restricted access to physical devices, Microsoft does not its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to district Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data in prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any form at any timeof its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. • Xxx Xxxxxxxxx XxxSubcontractors shall not include service providers, Xxxxxxx, XX, 00000 • such as hosting companies. (000e) 000Vendor [check one] x_will will not utilize sub-0000 • Security Information contractors for the Microsoft Azure platformpurpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontactors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontactors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including attestations for NIST, SOC2identifying breaches and unauthorized disclosures, and other compliance offeringsVendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • transition, deletion and/or destruction of Protected Data stored at such time that the MLSA is terminated or expires, as more fully described in ARC digital products remains Erie 1 BOCES’ “Supplemental Information about the property of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administrationMLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. . (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere to Finalsite implements the following security and disaster recovery practicesmeasures to safeguard Customer Data: • All web-based services Encryption. Finalsite encrypts Customer Data while in transit and RESTful API calls use TLS 1.2 security. • All personally identifiable information stored in MySQL is encrypted at rest using InnoDB tablespace encryptionindustry-standard encryption technologies. • ARC digital products offer access for teachersConfidentiality, school administratorsintegrity, availability, and district administrators resilience of processing systems. Finalsite utilizes Google Cloud or Amazon Web Services to host its applications across multiple availability zones; Finalsite utilizes automatic fail-over systems for certain applications and internal systems; Finalsite conducts regular hourly and daily backups of Customer Data, as identified by the districtwell as other industry-standard safeguards for ensuring resilience of processing systems. Users Finalsite performs regular vulnerability scanning of its software applications and has continuous managed threat detection in each of those security groups have access to only those student records in their scope of responsibilityplace. • For districts using Clever Instant Login or Classlink OneClick Single SignData Restoration. Finalsite utilizes automatic fail-Onover systems for certain applications and internal systems; Finalsite conducts regular backups of Customer Data designed to facilitate timely recovery in the event of a service interruption. In addition, the district maintains realFinalsite’s third-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryptionparty cloud hosting providers deploy replicated systems for physical redundancies spanning multiple geographic zones. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecoveryTesting, encryptedassessing, and transferred securely to ARC’s headquartersevaluating the effectiveness of technical and organizational measures. • All employees who might require access to secure data are provided with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use Finalsite performs periodic testing of encryption its technical and restricted access to physical devices, Microsoft does not have access to district data in any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • (000) 000-0000 • Security Information for the Microsoft Azure platform, including attestations for NIST, SOC2organizational measures, and other compliance offerings, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • Data stored in ARC digital products remains the property Finalsite’s third party hosting providers perform regular testing of the district physical security measures. Finalsite continuously monitors its systems for malware utilizing industry-standard managed threat detection. Finalsite conducts annual independent penetration testing of its systems and is protected by several policies applications to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administrationidentify and resolve foreseeable attack vectors and potential cyber threats.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. . (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere All eDoctrina employees and Castle Software, Inc. and content contractors, regardless of whether they access student or teacher data to provide the following security service or not, receive annual FERPA training and disaster recovery practices: • All web-based services are required to review and RESTful API calls use TLS 1.2 securityacknowledge compliance with the Written Information Security Plan Policy (WISPP), which is provided with this addendum and which outlines the eDoctrina and Castle Learning compliance methodology. • All eDoctrina and Castle Learning passwords are protected by encryption and divided into multiple administrator groups (District Administrator, School Administrator, Teacher). Primary tables that store student/staff personally identifiable information are encrypted using AES‐256, master key stored in MySQL a Key Management Service (KMS). Database dumps are encrypted using AES‐256 ‐ encryption is enabled on all storage services so that all new objects are encrypted at rest when they are stored. The objects are encrypted using InnoDB tablespace encryptionserver‐side encryption with customer master keys (CMKs) stored in the KMS. • ARC digital products offer Only eDoctrina and Castle Learning staff with the need to access for teachers, school administrators, and district administrators as identified by the district. Users in each of those security groups servers to provide the service have access to only those student records in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-Onthe encryption keys, which means the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryption. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encrypted, and transferred securely to ARC’s headquarters. • All employees who might require access to secure data are provided with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use of encryption and restricted access to physical devices, Microsoft provider does not have access to district the data. SSL/TLS encryption is used to protect all data in transit. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any form at of its officers or employees (or officers or employees of any time. • Xxx Xxxxxxxxx Xxxof its subcontractors or assignees) who have access to Protected Data, XxxxxxxVendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, XXas follows: Annually, 00000 • Vendor will require that all of its employees (000or officers or employees of any of its subcontractors or assignees) 000undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor will not utilize sub-0000 • Security Information contractors for the Microsoft Azure platformpurpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including attestations for NIST, SOC2identifying breaches and unauthorized disclosures, and other compliance offeringsVendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • transition, deletion and/or destruction of Protected Data stored at such time that the MLSA is terminated or expires, as more fully described in ARC digital products remains Erie 1 BOCES’ “Supplemental Information about the property of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administrationMLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all applicable state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere xxxxx://xxx.xxxxxxxx.xxx/about/privacy_policy/ We strive to the following maintain security policies and disaster recovery practices: • All web-based services and RESTful API calls use TLS 1.2 securityprocedures that are designed to protect your information. • All personally identifiable information stored Our servers are located in MySQL is encrypted at rest using InnoDB tablespace encryption. • ARC digital products offer access for teachersa secured, school administratorslocked, and district administrators as identified monitored environment to prevent unauthorized entry or theft, and are protected by a firewall. The servers are located in a data center in the United States and backed up daily to a secure, U.S.-based, off-site data center. We take extra measures to ensure the safety of PII and Student Records and apply a Secure Sockets Layer (SSL or HTTPS) encrypting technology to establish and ensure that all data passed between the server and the browser remains encrypted. Governance policies and access controls are in place to ensure that the information of each district, school, or other subscriber is separated, and all subscribers can only access their own data. Users in each of those security groups Only limited BrainPOP personnel have access to only those student records in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryption. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encrypteddatabase, and transferred securely personnel only access it when necessary to ARC’s headquartersprovide services. • All employees who might require Personnel with access to secure data are provided Student Records pass criminal background checks and undergo periodic privacy training. We follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all applicable servers, and we audit our practices at least once a year. (b) Vendor will comply with training all obligations set forth in safe-handling procedures. ARC digital products are hosted on Erie 1 BOCES’ “Supplemental Information about the Microsoft Azure cloud platform. Through the use MLSA” below. (c) For any of encryption and restricted access to physical devices, Microsoft does not its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to district Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data in prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (000d) 000Vendor [check one] x will will not utilize sub-0000 • Security Information contractors for the Microsoft Azure platformpurpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (e) Vendor will manage data security and privacy incidents that implicate Protected Data, including attestations for NIST, SOC2identifying breaches and unauthorized disclosures, and other compliance offeringsVendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (f) Vendor will implement procedures for the return, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • transition, deletion and/or destruction of Protected Data stored at such time that the MLSA is terminated or expires, as more fully described in ARC digital products remains Erie 1 BOCES’ “Supplemental Information about the property of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administrationMLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. . (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere ● Provide training on federal and state law governing confidentiality to the following security ensure proper safeguard measures to protect security, confidentiality, and disaster recovery practices: • All web-based services and RESTful API calls use TLS 1.2 security. • All integrity of personally identifiable information stored in MySQL is encrypted at rest using InnoDB tablespace encryptionBOCES information. • ARC digital products offer access for teachers, school administrators, and district administrators as identified by the district. Users in each of those security groups have ● Limit internal access to only those student individuals that are determined to have legitimate educational interests. ● xXxxxx.xxx maintains reasonable administrative, technical, physical safeguards to protect the security, confidentiality, and integrity of education records in their scope its custody; secure suite in office building accessible by lock/key and additional remote buzzer for entry. All computers/desktops are password protected and only accessible by authorized personnel. Any physical documents are stored/locked in file cabinets. ● iTutor operates in the most secure environment possible with state-of-the-art cloud-based infrastructure. One of responsibilitythe key features iTutor has all data stored using data security that is available through AWS RDS. • For districts using Clever Instant Login All features can be reviewed on the AWS site as needed. ● xXxxxx.xxx will notify BOCES upon any breach of security resulting in an unauthorized release of student data by xXxxxx.xxx or Classlink OneClick Single Sign-Onits assignees in violation of State or Federal law or regulation, Parents Bill of Rights for student data privacy and security, the district data privacy and security policies and procedures of BOCES and/or building contractual obligations relations to data privacy in security. Notification will be sent in the most expedient way practicable and without unreasonable delay. ● Education portal, along with internal infrastructure are protected with managed services providing standards. Each activity towards possible treats is monitored. An electronics notification system will self-alert our administrative team about possible breach or potential attack. Security governance process will identify the level of breach if occurred and will address via defined code of processor and counter measures. Breach will be immediately reported to required authorities, along with severalty, cause of damage, possibility of damage, and action plan along with deadlines for the remedy. ● Other measures to further prevent and monitor threats will be provided via third party providers and partners. ● xXxxxx.xxx maintains real-time control reasonable administrative, technical, physical safeguards to protect the security, confidentiality, and integrity of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames education records in its custody; secure suite in office building accessible by lock/key and passwords up to 128 charactersadditional remote buzzer for entry. All passwords computers/desktops are stored password protected and only accessible by authorized personnel. Any physical documents are stored/locked in file cabinets. ● Encryption xXxxxx.xxx will protect data in motion or in custody from unauthorized disclosure, using BCrypt encryptiontechnology or methodology specified by the secretary of the US Department of Health and Human Services in guidance issued under Sec 13402 (h)(2) of Public Law 111-5 ● Database security, secured algorithms, controlled port access assures data at rest. • The TrueNet Data is formatted in raw format during execution and access creating cipher code regeneration. Data at Rest is a stationary data, post data center includes biometric door locks coupled execution, data is migrated to storage devices following IPsec cipher with NFC cardsuse of integral database engines. ● Clear text data captured via portal will be over SSL layer along with last mile 128 bit SSL sealed encryption monitored and provided by industry leader solution providers. Post motion data will follow data at rest procedures. Content delivery data is sole property of xXxxxx.xxx, not required to be safeguarded as it does not hold any relevant information that needs privacy. ● xXxxxx.xxx will not disclose provided data other than to those of its employees or agents who have a need to know such provided data under this Agreement. xXxxxx.xxx will not use provided data for any other purposes than those explicitly provided for in this Agreement. All server cabinets are locked. • Servers at the TrueNet provided data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encrypted, and transferred securely to ARC’s headquarters. • All employees who might require access to secure data are provided with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use of encryption and restricted access to physical devices, Microsoft does not have access to district data in any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • (000) 000-0000 • Security Information for the Microsoft Azure platform, including attestations for NIST, SOC2, and other compliance offerings, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • Data stored in ARC digital products remains shall remain the property of the district disclosing party. Personally identifiable info or data that is provided to the Provider may not be sold or used for marketing purposes. ● xXxxxx.xxx will treat data provided as confidential and is protected shall protect the nature of the provided data by several policies using the same degree of care, but not less than a reasonable degree of care, as we use to protect our own confidential data, so as to prevent the unauthorized dissemination or publication of provided data to third parties. Being a portal based access even for subcontractors, Data remains on the portal. Constant improvising Safeguards protect data from migration, copying and sharing. Session between the subcontract access device and our portal will be on a secured connectivity path. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure privacythat these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] ✔ will will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. • American Reading Company does not share district In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with any third parties unless requested by district administrationSection 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. . (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere to the following [Insert here – also provide a copy of Data Security and Privacy Plan] 1 Outline how you will implement applicable data security and disaster recovery practicesprivacy contract requirements over the life of the Contract. LinkIt! maintains strict privacy and security protocols that are established in accordance with industry standards. These include both technical safeguards and procedural safeguard with respect to data access and sharing procedures. More details on our plan may be found online at: • All web-based services xxxxx://xxx.xxxxxx.xxx/privacy-policy 2 Specify the administrative, operational and RESTful API calls use TLS 1.2 securitytechnical safeguards and practices that you have in place to protect PII. • All personally identifiable information stored The safeguards in MySQL is encrypted at rest using InnoDB tablespace encryption. • ARC digital products offer access for teachersplace to protect PII data are too numerous to fully detail here, school administrators, but data and district administrators as identified by the district. Users in each of those security groups have access to only those student records in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords files are stored using BCrypt encryptionsecurely on the industry- leading Amazon (AWS) hosting platform. • Our data and security model follows best practices and consists principally of the following: ● Physical Security: Web servers, data servers and network data storage are on servers maintained by AWS. We perform full daily backups and hourly incremental backups which are stored offsite in the event of a disaster. The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped located in a secure area with restricted onsite access. ● Data Security: LinkIt! utilizes industry-leading Microsoft SQL database that enables encryption in transit and mirrored hard drives for redundancyat rest. • All digital product data is replicated Electronic access to multiple database servers behind our firewallsis restricted through dedicated web servers on a local network. • All data is backed up daily using Dell RapidRecovery, encrypted, and transferred securely This provides an effective barrier against attempts to ARC’s headquartersdirectly compromise database integrity. • All employees who might require access to secure data are provided with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use of encryption and restricted access to physical devices, Microsoft does not have access to district data in any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • (000) 000-0000 • Security Information for the Microsoft Azure platform, including attestations for NIST, SOC2, and other compliance offerings, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • Data stored in ARC digital products remains the property of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administration.●

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. . (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: ARC digital products adhere The EMS complies with all district, state, and federal policies related to student privacy. The EMS is Family Educational Rights and Privacy Act (FERPA) compliant. The EMS hosting environment is located in a secure, safe environment. It employs a number of industry standard security features to protect and store student data. Data is stored in accordance with all federal and state laws (e.g., FERPA). Xxxxxxx will only process student data as required to perform its obligations, and will comply with any reasonable, lawful, and written instructions from Erie 1 BOCES regarding Xxxxxxx'x processing. Following separation of services, Xxxxxxx will never use student data. To meet and exceed data security and privacy expectations, Xxxxxxx will take the following measures: · Staff will receive mandatory annual data privacy and security awareness training; · The Xxxxxxx platform uses a role-based authentication system to limit access to student records. Staff accounts are disabled as part of offboarding procedures so that only authorized staff have access to student records; · Xxxxxxx will not use any BOCES’ student records for purposes other than providing the contracted services; · Xxxxxxx has a well-documented incident management protocol for investigating, triaging, mitigating and reporting unauthorized disclosure of information; and · Pearson maintains a comprehensive information security program reasonably appropriate for the Erie 1 BOCES student data, which includes all reasonably appropriate technical security and disaster recovery practices: • All web-based services organizational measures to protect Erie 1 BOCES student data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access and RESTful API calls use TLS 1.2 securityagainst all other unlawful forms of processing. • All The only personally identifiable information (PII) that is stored in MySQL the EMS is encrypted at rest using InnoDB tablespace first name and last name. Email address is optional. The EMS does not store any demographic data. All student information is displayed on a secure https line. No student data is stored in an external data source from the application. Distributed Learning Application Protocol (DLAP) commands are architected to use IDs rather than student names. All data accessed via the EMS will be accessed through forced SSL for privacy and security purposes. Private data transmitted between systems for data reporting purposes will always be transmitted with secure FTP or over a private VPN that provides encryption. • ARC digital products offer access for teachers, school administrators, and district administrators as identified by . (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the district. Users in each MLSA” below. (d) For any of those security groups its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to only those student records Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] will x will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in their scope of responsibility. • For districts using Clever Instant Login or Classlink OneClick Single Sign-OnErie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames including identifying breaches and passwords up to 128 characters. All passwords are stored using BCrypt encryption. • The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked. • Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup. • All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy. • All digital product data is replicated to multiple database servers behind our firewalls. • All data is backed up daily using Dell RapidRecovery, encryptedunauthorized disclosures, and transferred securely to ARC’s headquarters. • All employees who might require access to secure data are provided Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with training in safe-handling procedures. ARC digital products are hosted on the Microsoft Azure cloud platform. Through the use Section 6 of encryption this Data Sharing and restricted access to physical devices, Microsoft does not have access to district data in any form at any time. • Xxx Xxxxxxxxx Xxx, Xxxxxxx, XX, 00000 • Confidentiality Agreement. (000g) 000-0000 • Security Information Vendor will implement procedures for the Microsoft Azure platformreturn, including attestations for NISTtransition, SOC2deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, and other compliance offerings, can be found here: xxxxx://xxxxx.xxxxxxxxx.xxx/en-us/azure/compliance/offerings/ Privacy • Data stored as more fully described in ARC digital products remains Erie 1 BOCES’ “Supplemental Information about the property of the district and is protected by several policies to ensure privacy. • American Reading Company does not share district data with any third parties unless requested by district administrationMLSA,” below.