Common use of Data Security and Privacy Plan Clause in Contracts

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: [Insert here – also provide a copy of Data Security and Privacy Plan] Cengage Learning, Inc. maintains a formal, written information security program containing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personal information. This program is reasonably designed to protect (i) the security and confidentiality of personal information, (ii) protect against any anticipated threats or hazards to the security or integrity of the information, and (iii) protect against unauthorized access to or use of the information. This document provides an overview of Cengage ’s information security program.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent con- sistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Confiden- tiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technicaltech- nical, operational and physical safeguards and practices in place throughout the term of the MLSA: [Insert here – also provide a copy of Data Security and Privacy Plan] Cengage LearningThe MAD-learn LLC mobile app development/learning application provides security for client content at all levels. Document uploads and all other client-server data reside in the secure Microsoft Azure cloud and all network transmissions use SSL. All uploaded content is stored in secure databases that use TDE (Transparent Database Encryption). Access to client data is restricted to users with proper account cre- dentials. Extensive physical security protocols are enforced at the data centers where the servers are hosted, Inc. maintains and a formalfull range of security policies governing employee activities are implemented across the en- terprise. - Application o Client-server communication uses HTTPS protocol (SSL) o Client data is stored securely in Azure SQL Server encrypted with TDE o Access to application is restricted based on email address and password o All end-user activities are monitored and logged o Clients have full control over user account creation and revocation - Physical o Application and client data is stored on servers hosted in enterprise-class Azure data centers o Access to application servers is restricted exclusively to authorized, written information security program containing administrativeprescreened personnel o Physical access to data center is controlled by ID badge, technical fingerprint, and physical safeguards retinal scan o MAD-learn LLC uses current-generation, enterprise-class firewalls and secure routers to pro- tect client data from external intrusion - Policies o MAD-learn LLC screens and performs background checks of all employees and ensures all vendors perform employee background checks o MAD-learn LLC employees sign nondisclosure agreements covering confidential client data o MAD-learn LLC employees are not allowed to use removable drives or media in the office o Penetration tests are performed regularly on all Azure application servers where MAD-learn apps and data are stored o Full and incremental backups of all application and client data are performed on a weekly ba- sis o Business continuity and contingency plans are routinely updated and tested o Internal and external employee access to all MAD-learn admin tools and servers is monitored and logged o Current-generation anti-virus, spyware, and malware protection software is installed on all servers, desktops, and laptops All data that is uploaded and stored within the MAD-learn system is protected by Microsoft Azure TLS/SSL encryption. Microsoft uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the securitycloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, confidentiality message privacy, and integrity (enabling detection of personal informationmessage tampering, interception, and forgery), interoperability, algo- rithm flexibility, and ease of deployment and use. Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Microsoft cloud services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. This program combination makes it difficult for someone to intercept and access data that is reasonably designed in transit. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Infor- mation about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to protect Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (ior officers or employees of any of its subcontractors or assignees) the undergo data security and confidentiality privacy training to ensure that these individuals are aware of personal informationand familiar with all applicable data security and privacy laws. (e) Vendor [check one] will X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental In- formation about the MLSA,” below. (iif) protect against any anticipated threats or hazards to the Vendor will manage data security or integrity of the informationand privacy incidents that implicate Protected Data, in- cluding identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in ac- cordance with Section 6 of this Data Sharing and Confidentiality Agreement. (iiig) protect against unauthorized access to Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or use of expires, as more fully de- scribed in Erie 1 BOCES’ “Supplemental Information about the information. This document provides an overview of Cengage ’s information security programMLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill Xxxx of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: [Insert here – also provide a copy of Data Security and Privacy Plan] Cengage Learning, Inc. maintains a formal, written information security program containing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personal information. This program is reasonably designed to protect (i) the security and confidentiality of personal information, (ii) protect against any anticipated threats or hazards to the security or integrity of the information, and (iii) protect against unauthorized access to or use of the information. This document provides an overview of Cengage ’s information security program.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: [Insert here – also provide a copy of Data Security and Privacy Plan] Cengage Learning, Inc. maintains a formal, written information security program containing administrative, technical and physical safeguards Vendor follows the protocols outlined in NIST SP-800-171 framework to protect the security, confidentiality and integrity of personal informationProtected Data. This program Vendor datacenters are certified with SOC2, SAS70 and ISO 27001. All physical equipment is reasonably designed in Vendor's locked cage at TPx (TelePacific) datacenters, which restricts access to limited and authorized Vendor personnel. Entry requires ID verification, check-in and authorization by security guards, and passing mantraps using biometric checks and verification of access cards. All sensitive student data is stored and encrypted in the databases and is backed up on EMC Data Domain Backup Storage with Encryption enabled. No data is stored outside of the United States. Vendor uses industry standard physical, electronic, and procedural security measures to protect (i) against the security and confidentiality of personal informationloss, (ii) protect against any anticipated threats or hazards to the security or integrity of the informationmisuse, and (iii) protect against unauthorized access access, disclosure, alteration or destruction of Protected Data. All Protected Data is encrypted when it is in route from client browser to or use of the information. This document provides an overview of Cengage Vendor’s information security programweb servers using TLS 1.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows:xxxxx://xxx.xxxxxxxxxxxx.xxx/privacy (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In As required by the NIST Cybersecurity Framework, in order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, , a. Vendor will have the following reasonable administrative, technical, operational operational, and physical safeguards and practices in place throughout the term of the MLSA: i. Data Security: 1. Data-at-rest & data-in-transit is encrypted 2. Data leak protections are implemented ii. Information Protection Processes and Procedures: 1. Data destruction is performed according to contract and agreements 2. A plan for vulnerability management is developed and implemented iii. Protective Technology: 1. Log/audit records are ascertained, implemented, documented, and reviewed according to policy 2. Network communications are protected iv. Identity Management, Authentication and Access Control: 1. Credentials and identities are issued, verified, managed, audited, and revoked, as applicable, for authorized dev (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: [Insert here – also provide a copy Annually, Vendor will require that all of Data Security its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and Privacy Plan] Cengage Learningprivacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. Vendor shall enter into an agreement--either by signature or click-through acceptance-- with all such subprocessors, Inc. maintains a formal, written information security program containing administrative, technical and physical safeguards to protect whereby the security, confidentiality and integrity terms of personal information. This program is reasonably designed to protect the agreement include obligations that will ensure that (ia) the security and confidentiality of personal informationStudent Data is protected in a manner no less stringent than the manner in which Vendor protects the Student Data, (iib) protect against any anticipated threats or hazards to the security or integrity of subprocessor will not sell the informationStudent Data, and (iiic) protect against the subprocessor may not materially alter the agreement with Vendor unless notice is provided to Vendor. (e) Vendor [check one] √ will will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized access to disclosures, and Vendor will provide prompt notification of any breaches or use unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the information. This document provides an overview return, transition, deletion and/or destruction of Cengage ’s information security programProtected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.