Common use of Exhibits A and B Clause in Contracts

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” The following text is appended to Article II, section 5: "Notwithstanding the foregoing, Provider shall have no obligation to enter into any such agreements and shall not be responsible for any third parties, including but not limited to educational service centers, to which LEA transmits Student Data or contracts with for services outside of the scope of the Services provided by Provider." The following text is added to Article IV, section 6: "Provider requires that the LEA not provide Student Data in emails sent by its employees to the Provider." Article V, section 2 is changed as follows: "Provider will allow the LEA to audit the security and privacy measures that are in place" is changed to "Provider will allow the LEA to audit the summary security and privacy measures that are in place" Article V, section 4 has the following text added to the end of the first paragraph: "when compromise was caused by the Provider:" Exhibit C, Definitions "Service Agreement: Refers to the Contract, Purchase Order or Terms of Service or Terms of Use." is changed to "Service Agreement: Refers to the Provider and LEA Contract, Purchase Order or Terms of Service or Terms of Use."

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. Last Updated 2021-03-15 - New Illinois Exhibit G IL-NDPA v1.0a Page 22 of 23 EXHIBIT “"H” " Additional Terms or Modifications Version 1 1.0 LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “"None.” The following text is appended " 618-1/4715859.1 Art. IV § 3 Provider wishes to Article II, section 5: "Notwithstanding the foregoing, clarify that Provider shall require all of Provider's employees and agents who have access to Student Data to agree to protect Student Data in a manner no obligation less stringent than the terms of this DPA. Provider accepts responsibility for the actions of all such employees and agents. Art. IV § 5 Notwithstanding Art. IV § 5, Amplify may use and share with agents, partners, and researchers non-personally identifiable information collected hereunder, including data that has been de-identified in accordance with FERPA and applicable laws, for legitimate educational purposes and may distribute findings, analysis and reports based upon such non-PII data. The language ", and (b) prior written notice has been given to enter into the LEA who has provided prior written consent for such transfer" shall be struck from such section. Exhibit G §10. Reimbursement of Expenses Associated with Security Breach Amplify shall reimburse the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security Breach to the extent such agreements Security Breach was attributable to Amplify. Amplify will indemnify and shall hold the LEA harmless from third party claims of the nature set forth in this section. Amplify wishes to clarify that Amplify will be responsible for, and will bear, all notification related costs arising out of or in connection with the Security Incident, subject to any limitations of liability terms contained in the applicable agreement. For clarity and without limitation, Amplify will not be responsible for costs associated with voluntary notification which is not legally required. With respect to any third partiesSecurity Breach which is not due to acts or omissions of Amplify or its agents, including but not limited to educational service centersAmplify will reasonably cooperate in performing the activities described above, to which LEA transmits Student Data or contracts with for services outside of the scope of the Services provided by Provider." The following text is added to Article IV, section 6: "Provider requires that as the LEA not provide Student Data in emails sent by its employees to requests, at the ProviderLEA’s reasonable expense." Article V, section 2 is changed as follows: "Provider will allow the LEA to audit the security and privacy measures that are in place" is changed to "Provider will allow the LEA to audit the summary security and privacy measures that are in place" Article V, section 4 has the following text added to the end of the first paragraph: "when compromise was caused by the Provider:" Exhibit C, Definitions "Service Agreement: Refers to the Contract, Purchase Order or Terms of Service or Terms of Use." is changed to "Service Agreement: Refers to the Provider and LEA Contract, Purchase Order or Terms of Service or Terms of Use."

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 LEA XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” Amend Section 1 under Article I to read: Purpose of DPA. The following text purpose of this DPA is appended to describe the duties and responsibilities to protect Student Data, including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. Amend Section 6 under Article II, section 5IV to read: "Notwithstanding Disposition of Data. Upon written request from the foregoingLEA, Provider shall have no obligation dispose of or provide a mechanism for the LEA to enter into any such agreements and shall not be responsible for any third parties, including but not limited to educational service centers, to which LEA transmits transfer Student Data or contracts with for services outside obtained under the Service Agreement, within sixty (60) days of the scope date of said request and according to a schedule and procedure as the Services provided by Provider." The following text is added to Article IVParties may reasonably agree. Upon termination of this DPA, section 6: "Provider requires that if no written request from the LEA not provide is received, Provider shall dispose of all Student Data in emails sent by its employees accordance with Provider’s standard records retention periods after providing the LEA with reasonable prior notice, which notice may take the form of a banner or popup within the assessment platform, mass email, or substantially similar method of communication. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3. The LEA may employ a “Directive for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior to the Provider." disposition of Student Data described in Exhibit “D”. Amend Section 2 under Article VV to read: Audits. No more than once a year, section 2 is changed as follows: "or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the LEA to request a copy of the most recent third-party audit of the security and privacy measures that are in place" is changed place to "ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA. The Provider will allow cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to audit the summary security students and/or LEA, and privacy measures that are in place" Article V, section 4 has the following text added shall provide reasonable access to the end Provider’s facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach of the first paragraphDPA. Amend Section 10 in EXHIBIT G to read: "when compromise was caused by Reimbursement of Expenses Associated with Security Breach. In the event of a confirmed Security Breach that is attributable to the Provider:" Exhibit C’s willful or negligent acts or omissions, Definitions "Service Agreement: Refers the Provider shall reimburse and indemnify the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security Breach, subject to the Contract, Purchase Order or Terms Providers limitation of Service or liability set forth in the Terms of Use." is changed , including but not limited to "Service Agreementcosts and expenses associated with: Refers a. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; b. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student’s credit or financial security; c. Legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the security breach; and d. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. Amend Section 11 in EXHIBIT G to read: Transfer or Deletion of Student Data. The Provider shall review, on an annual basis, whether the Student Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no longer needed for purposes of the DPA, the Provider must inform XXX by updating and providing LEA Contractwith a copy of Provider’s Privacy Policy and, Purchase Order upon receipt of XXX’s written instructions, delete such Student Data or Terms transfer to the LEA such Student Data. The Provider shall effectuate such transfer or deletion of Service Student Data and provide written confirmation of said transfer or Terms deletion to the LEA within thirty (30) calendar days of Usereceiving the instructions. If the LEA receives a request from a parent, as that term is defined in 105 ILCS 10/2(g), that Student Data being held by the Provider be deleted, the LEA shall determine whether the requested deletion would violate State and/or federal records laws. In the event such deletion would not violate State or federal records laws, the LEA shall forward the request for deletion to the Provider. The Provider shall comply with the request and delete the Student Data within a reasonable time period after receiving the request. Any provision of Student Data to the LEA from the Provider shall be transmitted in a format readable by the LEA."

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” Exhibit F adds: Student information must be sent to Provider via secure connection. A representative for the LEA will be appointed to train and enforce proper handling of information to prevent inappropriate access to or use of student data. Requirements for account creation as described at xxx.xxxxxxxxxxx.xxx/ privacy in the Extra Information for Student Users section and for data deletion under the Data Retention section are required for services provided within this DPA. Exhibit G numbers 11 and 13 for our proposed modifications. #11 - Remove - The following text is appended to Article II, section 5: "Notwithstanding the foregoing, Provider shall have review, on an annual basis, whether theStudent Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no obligation to enter into any longer needed for purposes of the DPA, the Provider must delete such agreements and shall not be responsible for any third parties, including but not limited to educational service centers, to which LEA transmits unnecessary Student Data or contracts with for services outside transfer to the LEA such unnecessary Student Data. The Provider shall effectuate such transfer or deletion of Student Data and provide written confirmation of said transfer or deletion to the LEA within thirty (30) calendar days of the scope operator becoming aware that the Student Data is no longer needed for purposes of the Services provided by Provider." The following text is added to Article IV, section 6: "Provider requires that the LEA not provide DPA. #11 Add - Student Data in emails sent by its employees to the Provider." Article V, section 2 is changed as follows: "Provider will allow can be evaluated and deleted upon written request from the LEA to audit xxxxxxx@xxxxxxxxxxx.xxx - data will be deleted upon request or 10 years after the security and privacy measures expiration of the contract, whichever comes first. Termination of data only applies to premium user data. Users that are in place" is changed on a free plan or moved to "Provider a free plan will allow not be eligible for deletion. #13 - Remove - By no later than (5) business days after the date of execution of the DPA, theProvider shall provide the LEA with a list of any subcontractors to audit whom Student Data may be disclosed or a link to a page on the summary security Provider’s website that clearly lists any and privacy measures that are in place" Article Vall subcontractors to whom Student Data may be disclosed. This list shall, section 4 has the following text added at a minimum, be updated and provided to the end of the first paragraph: "when compromise was caused LEA by the Provider:" Exhibit C, Definitions "Service Agreement: Refers to beginning of each fiscal year (July 1) and at the Contract, Purchase Order or Terms beginning of Service or Terms of Useeach calendar year (January 1)." is changed to "Service Agreement: Refers to the Provider and LEA Contract, Purchase Order or Terms of Service or Terms of Use."

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” The following text is appended to Article II, section 5: "Notwithstanding the foregoing, Provider shall have no obligation to enter into any such agreements and shall not be responsible for any third parties, including but not limited to educational service centers, to which LEA transmits Student Data or contracts with for services outside of the scope of the Services provided by Provider." The following text is added to Article IV, section 6: "Provider requires that the LEA not provide Student Data in emails sent by its employees to the Provider." Article V, section s 2 is changed as followsAudits to be deleted in it's entirety and replaced with: "Provider will allow 'No more than once a year, upon receipt of a written request from the LEA with at least thirty (30) business days' notice and upon the execution of an appropriate confidentiality agreement, the Provider and the LEA will agree on an independent third party to audit the security and privacy measures that are in place" is changed place to "ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA. The Provider will allow be responsible for all costs associated with the third-party audit. The Provider will cooperate reasonably with the independent third party conducting the audit of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider's facilities, staff agents and LEA's Student Data and all records pertaining to the LEA to audit the summary security and privacy measures that are in place" Article V, section 4 has the following text added delivery of Services to the end LEA. The last sentence of the first paragraphparagraph of Exhibit G, s 11 to be deleted in its entirety and replaced with: "when compromise was caused by “Upon termination of the Provider:" Exhibit C, Definitions "Service Agreement: Refers to the Contract, Purchase Order or Terms of Service or Terms of Use." is changed to "Service Agreement: Refers to Agreement between the Provider and LEA, the Provider will delete or transfer to the LEA Contractall remaining Student Data in the Provider’s possession, Purchase Order or Terms as directed by the LEA, within 60 calendar days of Service or Terms of Use."the termination. R E F E R E N C E N U M B E R 91E32FF 5-535F-4529-BC47-CE511D25BE0F S I G N AT U R E C E RT I F I C AT E TRANSACTION DETAILS DOCUMENT DETAILS Reference Number 91E32FF5-535F-4529-BC47-CE511D25BE0F Transaction Type Signature Request Sent At 04/30/2021 09:57 EDT Executed At 04/30/2021 10:28 EDT Identity Method email Distribution Method email Signed Checksum Document Name Il Ndpa V1a Turnitin Cusd50 Final 2 Filename il_ndpa_v1a_turnitin_cusd50_final_2_.pdf Pages 23 pages Content Type application/pdf File Size