Common use of Data Security and Privacy Plan Clause in Contracts

Data Security and Privacy Plan. As more fully described herein, throughout the term of the Master Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows: (a) Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy, which are attached to this Master Agreement. (b) Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Agreement. (c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Agreement between Jamestown City School District and Houghton Mifflin Harcourt Publishing Company ” Vendor’s obligations described within this section include, but are not limited to: (i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and (ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreement. (d) Vendor has provided or will provide ongoing training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, prior to their receiving access. (e) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any confirmed breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.

Data Security and Privacy Plan. As more fully described herein, throughout the term of the Master Subscription Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Subscription Agreement are as follows: (a) Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Subscription Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy, which are attached to this Master Agreement. (b) Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Subscription Agreement. (c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Subscription Agreement between Jamestown City [Xxxxx-Fultonville Central School District District] and Houghton Mifflin Harcourt Publishing Company ” Vendor’s obligations described within this section include, but are not limited to:ReadWorks.” (i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Subscription Agreement shall apply to the subcontractor, and (ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Subscription Agreement. (d) Vendor has provided or will provide ongoing training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, prior to their receiving access. (e) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any confirmed breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.

Data Security and Privacy Plan. As more fully described herein, throughout the term of the Master Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows: (a) Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy, which are attached to this Master Agreement. (b) Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Agreement. (c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Agreement between Jamestown City Chazy Central Rural School District and Houghton Mifflin Harcourt Publishing Company [Name of Vendor].” Vendor’s obligations described within this section include, but are not limited to: (i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and (ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreement. (d) Vendor has provided or will provide ongoing training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, prior to their receiving access. (e) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any confirmed breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.

Data Security and Privacy Plan. As more fully described herein, throughout the term of the Master Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows: (a) Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy, which are attached to this Master Agreement. (b) Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Agreement. (c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Agreement between Jamestown City [Jasper-Troupsburg Central School District District] and Houghton Mifflin Harcourt Publishing Company [DeltaMath].” Vendor’s obligations described within this section include, but are not limited to: (i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and (ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreement. (d) Vendor has provided or will provide ongoing training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, prior to their receiving access. (e) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any confirmed breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.

Data Security and Privacy Plan. As more fully described herein, throughout the term of the Master Agreement, Vendor agrees that it will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives received from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply Participating Educational Agencies in accordance with the terms of the District’s Erie 1 BOCES’ Parents Bill of Rights for Data Security Privacy and PrivacySecurity, a copy of which is set forth below and has been signed by the VendorVendor and is set forth below. Additional components elements of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows: (a) Vendor will In order to implement all state, federal, and local data security and privacy requirements requirements, including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s Erie 1 BOCES’ data security and privacy policy, which Vendor will: Review its data security and privacy policy and practices to ensure that they are attached in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to this Master Agreementensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have specific the following reasonable administrative, technical, operational and technical physical safeguards and practices in place throughout the term of the MLSA: The EMS complies with all district, state, and federal policies related to student privacy. The EMS is Family Educational Rights and Privacy Act (FERPA) compliant. The EMS hosting environment is located in a secure, safe environment. It employs a number of industry standard security features to protect Protected and store student data. Data is stored in accordance with all federal and state laws (e.g., FERPA). Xxxxxxx will only process student data as required to perform its obligations, and will comply with any reasonable, lawful, and written instructions from Erie 1 BOCES regarding Xxxxxxx'x processing. Following separation of services, Xxxxxxx will never use student data. To meet and exceed data security and privacy expectations, Xxxxxxx will take the following measures: · Staff will receive mandatory annual data privacy and security awareness training; · The Xxxxxxx platform uses a role-based authentication system to limit access to student records. Staff accounts are disabled as part of offboarding procedures so that it receives only authorized staff have access to student records; · Xxxxxxx will not use any BOCES’ student records for purposes other than providing the contracted services; · Xxxxxxx has a well-documented incident management protocol for investigating, triaging, mitigating and reporting unauthorized disclosure of information; and · Pearson maintains a comprehensive information security program reasonably appropriate for the Erie 1 BOCES student data, which includes all reasonably appropriate technical security and organizational measures to protect Erie 1 BOCES student data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing. The only personally identifiable information (PII) that is stored in the EMS is first name and last name. Email address is optional. The EMS does not store any demographic data. All student information is displayed on a secure https line. No student data is stored in an external data source from the District under application. Distributed Learning Application Protocol (DLAP) commands are architected to use IDs rather than student names. All data accessed via the Master AgreementEMS will be accessed through forced SSL for privacy and security purposes. Private data transmitted between systems for data reporting purposes will always be transmitted with secure FTP or over a private VPN that provides encryption. (c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled Erie 1 BOCES’ “Supplemental Information about a Master Agreement between Jamestown City School District and Houghton Mifflin Harcourt Publishing Company the MLSA” Vendor’s obligations described within this section include, but are not limited to: (i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and (ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreementbelow. (d) Vendor has provided or will provide ongoing training on the federal and state laws governing confidentiality of Protected Data for For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] will x will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify Data, including identifying breaches and unauthorized disclosures. , and Vendor will provide prompt notification to the District of any confirmed breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. As more fully described herein, throughout the term of the Master Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows: (a) : Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy, which are attached to this Master Agreement. (b) . Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Agreement. (c) . [Name of Vendor] Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Agreement between Jamestown City Xxxxxxxx Central School District and Houghton Mifflin Harcourt Publishing Company YouScience, LLC .” Vendor’s obligations described within this section include, but are not limited to: (i) : its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and (ii) and its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreement. (d) . Vendor has provided or will provide ongoing training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors (other than subcontractors that are limited to hosting data storage or providing technology infrastructure) or assignees) who will have access to Protected Data, prior to their receiving access. (e) . Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any confirmed breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.