Common use of Exhibits A and B Clause in Contracts

Exhibits A and B. The Services described in Exhibit "A" and the Schedule of Data in Exhibit "B" to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional or modified terms, this field should read “None.” 1. Article II, Section 5, has the following is added to the end of the section: 2. Article V, Section 5, is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; or ten (10) days after mailing, if by first-class mail, postage prepaid. 6. Exhibit "G", Section 6, is deleted and replaced with: 7. Exhibit "G", Section 7, shall be deleted and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach

Exhibits A and B. The Services described in Exhibit "A" and the Schedule of Data in Exhibit "B" to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional or modified terms, this field should read “None.” 1. Article II, Section 5, has the following is added to the end of the section: 2. Article V, Section 5, is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; or ten (10) days after mailing, if by first-class mail, postage prepaid. 6. Exhibit "G", Section 6, is deleted and replaced with: 7. Exhibit "G", Section 7, shall be deleted and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach

Exhibits A and B. The Services described in Exhibit "A" and the Schedule of Data in Exhibit "B" to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional or modified terms, this field should read “None.” 1. Article II, Section 5, has the following is added to the end of the section: 2. Article V, Section 54(5), is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; or ten (10) days after mailing, if by first-class mail, postage prepaid. 6. Exhibit "G", Section 6, is deleted and replaced with: 7. Exhibit "G", Section 7, shall be deleted and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breachbe

Exhibits A and B. The Services described in Exhibit "A" A and the Schedule of Data in Exhibit "B" B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional no additional or modified terms, this field should read “None.”” LEA and Provider agree to the following additional terms and modifications: Standard Clauses 1. Article II, Section 52, has the Parent Access: The following is added to the end of the section:: “Notwithstanding anything in this section to the contrary, any Education Records or Student Data will ordinarily be accessible by the LEA immediately through the standard functionality of Provider's products for review, correction, or extraction. Provider will provide such assistance as is reasonably required to facilitate any written requests for assistance from the LEA.” 2. Article VII, Section 53, Separate Account, is deleted and replaced with the following:: “If student-generated content is stored or maintained by the Provider as part of the Services described in this DPA, Provider shall, at the request of the LEA, provide LEA with instructions as to how to use available functionality within the Services to copy student-generated content that is severable from the Service so that LEA or the student may store it in a separate account established by the LEA or the student. Nothing in this section shall require Provider to create or maintain separate accounts for student-generated content.” 3. Exhibit "D"Article IV, Section 6, Disposition of Data (a) The first two sentences are deleted and replaced with the following: “LEA will have access at any time during the term of the DPA and for a sixty (60) day period following termination or expiration of the DPA to extract or transfer Student Data. After the sixty (60) day period following termination or expiration of the DPA has expired, Provider will delete any Student Data obtained under the Service Agreement.” (b) In the third sentence, the words “or placed in a separate student account pursuant to section II 3, Schedule of Disposition includes and selects the following option:” are deleted. 4. Exhibit "G"In Article V, Section 2, Audits, the following sentence is added at the end of the section: “Provider may supply LEA with a summary of the results of a recently completed audit in lieu of LEA conducting an audit itself.” 5. In Article V, Section 4, is deleted Data Breach, first sentence, the words “within seventy-two (72) hours” are replaced with “within the most expedient time possible and replaced with: 5without unreasonable delay, but no later than seven (7) calendar days after the determination that a breach has occurred”. Exhibit "G" 6. In Section 4, Limitations on Redisclosure, the following is added at the beginning of the section: “With the exception of Subprocessors providing services to Provider under its agreement with the LEA,”. 7. In Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to , the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; words “or ten four (104) days after mailing, if by first-first class mail, postage prepaid” are replaced with “or upon receipt if sent by overnight courier.” 68. Exhibit "G", In Section 6, Parent Right to Access and Challenge Student Data, and in Section 7, Correction to Factual Inaccuracies, the following is added to the end of each section: “Notwithstanding the foregoing, LEA will have access to Student Data during the term of the DPA for inspection, copying, or correction as required. Provider will provide reasonable assistance upon written request if LEA requires assistance, pursuant to the timeframe required under Illinois law for the LEA to respond to a parent/student request for records or Education Records and/or Student Data.” 9. Section 11, Transfer or Deletion of Data (a) In the first paragraph, the second and third sentences are deleted and replaced with:with the following: “Provider will delete Student Data which is no longer needed within sixty (60) days of such a determination and will provide the LEA with confirmation of such deletion upon written request.” 7. Exhibit "G"(b) In the second paragraph, Section 7, shall be the second and third sentences are deleted and replaced with: 8. Exhibit "G", Section 10, shall with the following: “The LEA will be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA responsible for deleting any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose such Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during using the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result standard functionality of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal lawsProvider’s services. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach”

Exhibits A and B. The Services described in Exhibit "A" and the Schedule of Data in Exhibit "B" to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional or modified terms, this field should read “None.” 1. Article II, Section 5, has the following is added to the end of the section: 2. Article V, Section 54(5), is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; or ten (10) days after mailing, if by first-class mail, postage prepaid. 6. Exhibit "G", Section 6, is deleted and replaced with: 7. Exhibit "G", Section 7, shall be deleted and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach

Exhibits A and B. The Services described in Exhibit "A" A and the Schedule of Data in Exhibit "B" B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional no additional or modified terms, this field should read “None.”” Standard Clauses 1. Article II, Section 52, has the Parent Access: The following is added to the end of the section:: “Notwithstanding anything in this section to the contrary, any Education Records or Student Data may ordinarily be accessible by the LEA immediately through the standard functionality of Provider's products for review, correction, or extraction. Provider will provide such assistance as is reasonably required to facilitate any written requests for assistance from the LEA.” 2. Article II, Section 3, Separate Account, is deleted and replaced with the following: “If student-generated content is stored or maintained by the Provider as part of the Services described in this DPA, Provider shall, at the request of the LEA, provide LEA with instructions as to how to use available functionality within the Services to copy student-generated content that is severable from the Service so that LEA or the student may store it in a separate account established by the LEA or the student. Nothing in this section shall require Provider to create or maintain separate accounts for student-generated content.” 3. Article IV, Section 6, Disposition of Data (a) The first two sentences are deleted and replaced with the following: “LEA will have access at any time during the term of the DPA to extract or transfer Student Data. After termination or expiration of the DPA, Provider will delete any Student Data obtained under the Service Agreement.” (b) In the third sentence, the words “or placed in a separate student account pursuant to section II 3” are deleted. 4. In Article V, Section 2, Audits, the following sentence is added at the end of the section: “Provider may supply LEA with a summary of the results of a recently completed audit in lieu of LEA conducting an audit itself.” 5. In Article V, Section 4, Data Breach, first sentence, the words “within seventy-two (72) hours” are replaced with “within the most expedient time possible and without unreasonable delay, but no later than 30 calendar days after the determination that a breach has occurred”. Exhibit G 6. In Section 4, Limitations on Redisclosure, the following is added at the beginning of the section: “With the exception of Subprocessors providing services to Provider under its agreement with the LEA,”. 7. In Section 5, Notices, the words “or four (4) days after mailing, if by first class mail, postage prepaid” are replaced with “or upon receipt if sent by overnight courier.” 8. In Section 6, Parent Right to Access and Challenge Student Data, and in Section 7, Correction to Factual Inaccuracies, the following is added to the end of each section: “Notwithstanding the foregoing, LEA will have access to Student Data during the term of the DPA for inspection, copying, or correction as required. Provider will provide reasonable assistance upon written request if LEA requires assistance, pursuant to the timeframe required under Illinois law for the LEA to respond to a parent/student request for records or Education Records and/or Student Data.” 9. Section 11, Transfer or Deletion of Data (a) In the first paragraph, the second and third sentences are deleted and replaced with the following: “Provider will delete Student Data which is no longer needed within sixty (60) days of such a determination, and will provide the LEA with confirmation of such deletion upon written request.” (b) In the second paragraph, the second and third sentences are deleted and replaced with the following: “The LEA will be responsible for deleting any such Student Data using the standard functionality of Provider’s services.” 10. Section 13, Subcontractors, is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; or ten (10) days after mailing, if by first-class mail, postage prepaid. 6. Exhibit "G", Section 6, is deleted and replaced with: 7. Exhibit "G", Section 7, shall be deleted and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach

Exhibits A and B. The Services described in Exhibit "A" and the Schedule of Data in Exhibit "B" to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional or modified terms, this field should read “None.” 1. Article II, Section 5, has the following is added to the end of the section: 2. Article V, Section 54(5), is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; or ten (10) days after mailing, if by first-class mail, postage prepaid. 6. Exhibit "G", Section 6, is deleted and replaced with: 7. Exhibit "G", Section 7, shall be deleted and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach

Exhibits A and B. The Services described in Exhibit "A" A and the Schedule of Data in Exhibit "B" B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional no additional or modified terms, this field should read “None.” 1” Art. Article IIV(2) is amended to read: Audits. No more than once a year, Section 5, has the or following is added to the end of the section: 2. Article V, Section 5, is deleted and replaced with the following: 3. Exhibit "D", Section 3, Schedule of Disposition includes and selects the following option: 4. Exhibit "G", Section 4, is deleted and replaced with: 5. Exhibit "G", Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to the DPA shall be deemed effective, a Data Breach (as applicabledefined below), upon receipt as evidenced by of a written request from the date of transmission indicated on the transmission material, if by e-mail; or LEA with at least ten (10) days business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the LEA to audit the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA . The Provider will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach of the DPA. Art. V(4) is amended to read: Data Breach. In the event of an unauthorized release, disclosure or acquisition of Student Data that (1) compromises the security, confidentiality or integrity of the Student Data maintained by the Provider and (2) qualifies as a “personal data breach,” “breach of security,” “security breach,” or similar term as defined by applicable data breach notification laws (a “Data Breach”) the Provider shall provide notification to LEA within seventy-two (72) hours of confirmation of the Data Breach, unless notification within this time limit would disrupt investigation of the Data Breach by law enforcement. In such an event, notification shall be made within a reasonable time after mailingthe Data Breach. Provider shall follow the following process: (1) The Data Breach notification described above shall include, at a minimum, the following information to the extent known by the Provider and as it becomes available: i. The name and contact information of the reporting LEA subject to this section. ii. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the Data Breach, (2) the estimated date of the Data Breach, or (3) the date range within which the Data Breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation, if by first-class mailthat information is possible to determine at the time the notice is provided; and v. A general description of the Data Breach incident, postage prepaidif that information is possible to determine at the time the notice is provided. 6. Exhibit "G"(2) Provider agrees to adhere to all federal and state requirements with respect to a Data Breach related to the Student Data, Section 6including, is deleted when appropriate or required, the required responsibilities and replaced with: 7. Exhibit "G", Section 7, shall be deleted procedures for notification and replaced with: 8. Exhibit "G", Section 10, shall be deleted and replaced with: Reimbursement mitigation of Expenses Associated with Security any such Data Breach. a. (3) Provider further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a Data Breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide XXX, upon request, with a summary of said written incident response plan. (4) LEA shall provide notice and facts surrounding the Data Breach to the affected students, parents or guardians. (5) In the event of a Security Data Breach that is attributable originating from XXX’s use of the Service, Provider shall cooperate with LEA to the Provider, the Provider shall reimburse and indemnify the LEA for any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited extent necessary to costs and expenses associated withexpeditiously secure Student Data. Art. VII(1) is amended to read: i. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach

Exhibits A and B. The Services described in Exhibit "A" A and the Schedule of Data in Exhibit "B" B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. LEA DocuSign Envelope ID: B87CCC6D-4EC8-43F1-A329-391305252132 XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are noadditional no additional or modified terms, this field should read “None.”” XXX and Provider agree to the following additional terms and modifications: Standard Clauses 1. Article II, Section 52, has the Parent Access: The following is added to the end of the section:: “Notwithstanding anything in this section to the contrary, any Education Records or Student Data will ordinarily be accessible by the LEA immediately through the standard functionality of Provider's products for review, correction, or extraction. Provider will provide such assistance as is reasonably required to facilitate any written requests for assistance from the LEA.” 2. Article VII, Section 53, Separate Account, is deleted and replaced with the following:: “If student-generated content is stored or maintained by the Provider as part of the Services described in this DPA, Provider shall, at the request of the LEA, provide LEA with instructions as to how to use available functionality within the Services to copy student-generated content that is severable from the Service so that LEA or the student may store it in a separate account established by the LEA or the student. Nothing in this section shall require Provider to create or maintain separate accounts for student-generated content.” 3. Exhibit "D"Article IV, Section 6, Disposition of Data (a) The first two sentences are deleted and replaced with the following: “XXX will have access at any time during the term of the DPA and for a sixty (60) day period following termination or expiration of the DPA to extract or transfer Student Data. After the sixty (60) day period following termination or expiration of the DPA has expired, Provider will delete any Student Data obtained under the Service Agreement.” (b) In the third sentence, the words “or placed in a separate student account pursuant to section II 3, Schedule of Disposition includes and selects the following option:” are deleted. 4. Exhibit "G"In Article V, Section 2, Audits, the following sentence is added at the end of the section: “Provider may supply LEA with a summary of the results of a recently completed audit in lieu of LEA conducting an audit itself.” 5. In Article V, Section 4, is deleted Data Breach, first sentence, the words “within seventy-two (72) hours” are replaced with “within the most expedient time possible and replaced with: 5without unreasonable delay, but no later than seven (7) calendar days after the determination that a breach has occurred”. Exhibit "G" 6. In Section 4, Limitations on Redisclosure, the following is added at the beginning of the section: “With the exception of Subprocessors providing services to Provider under its agreement with the LEA,”. 7. In Section 5, is deleted and replaced with: Notices. Any notice delivered pursuant to , the DPA shall be deemed effective, as applicable, upon receipt as evidenced by the date of transmission indicated on the transmission material, if by e-mail; words “or ten four (104) days after mailing, if by first-first class mail, postage prepaid” are replaced with “or upon receipt if sent by overnight courier.” 68. Exhibit "G", In Section 6, Parent Right to Access and Challenge Student Data, and in Section 7, Correction to Factual Inaccuracies, the following is added to the end of each section: “Notwithstanding the foregoing, XXX will have access to Student Data during the term of the DPA for inspection, copying, or correction as required. Provider will provide reasonable assistance upon written request if LEA requires assistance, pursuant to the timeframe required under Illinois law for the LEA to respond to a parent/student request for records or Education Records and/or Student Data.” 9. Section 9 (b), is deleted in its entirety. 10. Section 11, Transfer or Deletion of Data (a) In the first paragraph, the second and third sentences are deleted and replaced with:with the following: “Provider will delete Student Data which is no longer needed within sixty (60) days of such a determination and will provide the LEA with confirmation of such deletion upon written request.” 7. Exhibit "G"(b) In the second paragraph, Section 7, shall be the second and third sentences are deleted and replaced with: 8. Exhibit "G", Section 10, shall with the following: “The LEA will be deleted and replaced with: Reimbursement of Expenses Associated with Security Breach. a. In the event of a Security Breach that is attributable to the Provider, the Provider shall reimburse and indemnify the LEA responsible for deleting any and all reasonable costs and expenses that the LEA incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with: i. Providing notification to the parents of those students whose such Student Data was compromised and regulatory agencies or other entities as required by law or contract; ii. Providing credit monitoring to those students whose Student Data was exposed in a manner during using the Security Breach that a reasonable person would believe may impact the student's credit or financial security; iii. Reasonable legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result standard functionality of the Security Breach; and iv. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal lawsProvider’s services. b. In the event of a Security Breach that is solely attributable to the LEA and for which the LEA would not be immune from liability under the Illinois Local Governmental and Governmental Employees Tort Immunity Act (745 ILCS 10/1 et seq.) or other applicable immunities or defenses, the LEA shall reimburse the Company for any and all reasonable costs and expenses that the Company incurs in investigating and remediating the Security Breach, including but not limited to costs and expenses associated with reasonable legal fees, audit costs, and any other fees or damages sustained by the Company as a result of the Security Breach”