Common use of Data Security and Privacy Plan Clause in Contracts

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. [Privacy Policy: xxxxx://xxx.xxxxxxxxx.xxx/privacy-policy A copy of our Data Security and Privacy Plan is provided on Page 32.] Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) As required by the NIST Cybersecurity Framework, in order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, a. Vendor will have the following reasonable administrative, technical, operational, and physical safeguards and practices in place throughout the term of the MLSA: i. Data Security: 1. Data-at-rest & data-in-transit is encrypted 2. Data leak protections are implemented ii. Information Protection Processes and Procedures: 1. Data destruction is performed according to contract and agreements 2. A plan for vulnerability management is developed and implemented iii. Protective Technology: 1. Log/audit records are ascertained, implemented, documented, and reviewed according to policy 2. Network communications are protected iv. Identity Management, Authentication and Access Control: 1. Credentials and identities are issued, verified, managed, audited, and revoked, as applicable, for authorized dev (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] will _X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. [Privacy PolicyNew York privacy compliance guide and CodeHS privacy policy can be found here: xxxxx://xxx.xxxxxxxxx.xxx/privacy-policy A copy of our Data Security and Privacy Plan is provided on Page 32.] xxxxx://xxxxxx.xxx/privacy/newyork Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) As required by the NIST Cybersecurity Framework, in order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, a. Vendor will have the following reasonable administrative, technical, operational, and physical safeguards and practices in place throughout the term of the MLSA: i. Data Security: 1. Data-at-rest & data-in-transit is encrypted 2. Data leak protections are implemented ii. Information Protection Processes and Procedures: 1. Data destruction is performed according to contract and agreements 2. A plan for vulnerability management is developed and implemented iii. Protective Technology: 1. Log/audit records are ascertained, implemented, documented, and reviewed according to policy 2. Network communications are protected iv. Identity Management, Authentication and Access Control: 1. Credentials and identities are issued, verified, managed, audited, and revoked, as applicable, for authorized dev (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] will _X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. [Privacy Policy: xxxxx://xxx.xxxxxxxxx.xxx/privacy-policy A copy of our Data Security and Privacy Plan is provided on Page 32.] Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) As required by the NIST Cybersecurity Framework, in In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, a. , Vendor will have the following reasonable administrative, technical, operational, operational and physical safeguards and practices in place throughout the term of the MLSA: i. Data Security: 1: • Maintain secure firewalls and security rules of the production environment. Data-at-rest & data-in-transit is encrypted 2• Use TLS to prevent snooping on site traffic and encryption to secure data at rest. Data leak protections are implemented ii• Block bad requests using a web application firewall (WAF) where possible. Information Protection Processes • Use strong passwords to prevent guessing or brute force attacks against privileged credentials. • Employ software to monitor security settings and Procedures: 1perform periodic security scans of the environment. Data destruction is performed according • Minimize collection of personal data (generally limited to contract and agreements 2. A plan for vulnerability management is developed and implemented iii. Protective Technology: 1. Log/audit records are ascertainedemail address, implemented, documentedfirst name, and reviewed according last name and a security question for LearningExpress products that do not include our resume builder functionality.) • Ensure that production user data does not leave the Production environment. • Maintain an audit log of account events. • Alert administrators in the case of unusual events to policy 2speed investigation and remediation. Network communications are protected iv• Leverage the AWS shared responsibility model, which provides the facilities for security compliance but requires LearningExpress to implement them in a secure fashion. Identity ManagementFor instance, Authentication incoming traffic can be secured down to a single IP address (but this rule needs to be specified). • Perform daily backups and Access Control: 1deletion of old backups on a frequent basis. Credentials • Provide ability for site patrons to view, download and identities are issued, verified, managed, audited, delete their account details. • Maintain network segregation between production systems and revoked, as applicable, for authorized devother environments. • Patch systems on a regular basis. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] X will _X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. [Privacy Policy: xxxxx://xxx.xxxxxxxxx.xxx/privacy-policy A copy of our Data Security xxxxx://xxxxxxx.xxx/privacy Please also see attached ‘Product Profile’ for data and Privacy Plan security plan] Bulb’s privacy policy is provided on Page 32.] located at xxxxx://xx.xxxxxxx.xxx/privacy-policy/ Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) As required by the NIST Cybersecurity Framework, in order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, a. Vendor will have the following reasonable administrative, technical, operational, and physical safeguards and practices in place throughout the term of the MLSA: i. Data Security: 1. Data-at-rest & data-in-transit is encrypted 2. Data leak protections are implemented ii. Information Protection Processes and Procedures: 1. Data destruction is performed according to contract and agreements 2. A plan for vulnerability management is developed and implemented iii. Protective Technology: 1. Log/audit records are ascertained, implemented, documented, and reviewed according to policy 2. Network communications are protected iv. Identity Management, Authentication and Access Control: 1. Credentials and identities are issued, verified, managed, audited, and revoked, as applicable, for authorized dev (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] Y will _X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. [Privacy Policy: xxxxx://xxx.xxxxxxxxx.xxx/privacy-policy A copy of our Data Security and Privacy Plan is provided on Page 32.] Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) As required by the NIST Cybersecurity Framework, in In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, a. , Vendor will have the following reasonable administrative, technical, operational, operational and physical safeguards and practices in place throughout the term of the MLSA: i. Data Security: 1. Data-at-rest & Vendor limits and controls access to Student Data only to employees, agents, and contractors who have a legitimate need to access such data-in-transit is encrypted 2. Data leak protections are implemented ii. Information Protection Processes , in order to perform their job functions and Procedures: 1. Data destruction is performed according to contract provide privacy and agreementsdata security training on a regular basis. 2. A plan for vulnerability management is developed Vendor maintains and implementedenforces a security program with the administrative, physical and technical controls that Vendor has implemented and maintained in order to protect the security, privacy, confidentiality and integrity of confidential information (including Student Data) and to protect against unknown or reasonably anticipated threats. iii3. Protective Technology:Vendor has adopted and maintains technologies, safeguards and practices that align with the NIST Cybersecurity Framework and are designed to prevent unauthorized use or access to data processing systems and confidential information, including Student Data. 14. LogVendor employs physical security controls, such as access controls to secure environments, locked physical filing systems in a secure office space and cloud-based infrastructure redundancy, hardware security controls, such as full-disk encryption, password/audit records are ascertained, implemented, documentedpin access and remote wipe capabilities, and reviewed according to policy 2. Network communications are protected iv. Identity Management, Authentication and Access Control: 1. Credentials and identities are issued, verified, managed, audited, and revoked, as applicable, for authorized devvirtual access controls. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) Vendor [check one] will _X will will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.