Common use of SaaS Products Clause in Contracts

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  Google Classroom – B (H mandatory) / C / D / I / Class Name  O – if enabled  Flagged Browsing content either posted or reviewed on websites MDM  With SIS integration – A-J and O  Without SIS integration – only F  Additional Information from devices using MDM  Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  Type of Device  Version of Operating System Classroom  With SIS integration – A-J  Without SIS integration – only F and either H or B  In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them.

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  • We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  • Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  • Google Classroom – B (H mandatory) / C / D / I / Class Name  • O – if enabled  • Flagged Browsing content either posted or reviewed on websites Oregon Data Privacy Agreement V 2.0 14 MDM  • With SIS integration – A-J and O  • Without SIS integration – only F  • Additional Information from devices using MDM  • Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  • Type of Device  • Version of Operating System Classroom  • With SIS integration – A-J  • Without SIS integration – only F and either H or B  • In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS ACPE (Association for Computer Professionals in Education): Refers to the membership organization serving educational IT professionals in the states of Oregon and Washington to promote general recognition of the role of IT professionals in educational institutions; improve network and computer services; integrate emerging technologies; encourage appropriate use of information technology for the improvement of education and support standards whereby common interchanges of electronic information can be accomplished efficiently and effectively. Covered Information: Covered Information means materials that regard a student that are in any media or format and includes materials as identified by Oregon SB 187 (2015). The categories of Covered Information under Oregon law are found in Exhibit B. For purposes of this DPA, Covered Information is referred to as Student Data. Educational Records: Educational Records are official records, files and data directly related to a student and maintained by the school or local education agency, including but not limited to, records encompassing all the material kept in the student’s cumulative folder, such as general identifying data, records of attendance and of academic work completed, records of achievement, and results of evaluative tests, health data, disciplinary status, test protocols and individualized education programs. For purposes of this DPA, Educational Records are referred to as Student Data. De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them. NIST: Draft National Institute of Standards and Technology (“NIST”) Special Publication Digital Authentication Guideline. Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” shall include, but are not limited to, student data, metadata, and user or student-generated content obtained by reason of the use of Provider’s software, website, service, or app, including mobile apps, whether gathered by Provider or provided by LEA or its users, students, or students’ parents/guardians. PII includes Indirect Identifiers, which is any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty. For purposes of this DPA, Personally Identifiable Information shall include the categories of information listed in the definition of Student Data. Provider: For purposes of the Service Agreement, the term “Provider” means provider of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of student records. Within the DPA the term "Provider" includes the term “Third Party” as used in applicable state statutes.

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  Google Classroom – B (H mandatory) / C / D / I / Class Name  O – if enabled  Flagged Browsing content either posted or reviewed on websites MDM  With SIS integration – A-J and O  Without SIS integration – only F  Additional Information from devices using MDM  Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  Type of Device  Version of Operating System Classroom  With SIS integration – A-J  Without SIS integration – only F and either H or B  In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them.DEFINITIONS

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  • We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  • Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  • Google Classroom – B (H mandatory) / C / D / I / Class Name  • O – if enabled  • Flagged Browsing content either posted or reviewed on websites MDM  • With SIS integration – A-J and O  • Without SIS integration – only F  • Additional Information from devices using MDM  • Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  • Type of Device  • Version of Operating System Classroom  • With SIS integration – A-J  • Without SIS integration – only F and either H or B  • In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  • Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS DeData Breach means an event in which Division Data is exposed to unauthorized disclosure, access, alteration or use. LEA Data includes all business, employment, operational and Personally Identifiable Information that Division provides to Provider and that is not intentionally made generally available by the LEA on public websites or publications, including but not limited to business, administrative and financial data, intellectual property, and student, employees, and personnel data, user generated content and metadata but specifically excludes Provider Data (as defined in the Contract).De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor Provider removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them. Anonymization or de-identification should follow guidance equivalent to that provided by U.S Department of Education publication “Data De- identification: An Overview of Basic Terms” or NISTIR Special Publication (SP) 8053 De- Identification of Personally Identifiable Information. The Provider’s specific steps to de-identify the data will depend on the circumstances but should be appropriate to protect students. Some potential disclosure limitation methods are blurring, masking, and perturbation. De- identification should ensure that any information when put together cannot indirectly identify the student, not only from the viewpoint of the public, but also from the vantage of those who are familiar with the individual. Information cannot be de- identified if there are fewer than twenty (20) students in the samples of a particular field or category, i.e., twenty students in a particular grade or less than twenty students with a particular disability. Educational Records: Educational Records are official records, files and data directly related to a student and maintained by the school or local education agency including, but not limited to, records encompassing all the material kept in the student’s cumulative folder, such as general identifying data, records of attendance and of academic work completed, records of achievement, and results of evaluative tests, health data, disciplinary status, test protocols and individualized education programs. For purposes of this DPA, Educational Records are referred to as Student Data. Indirect Identifiers: Any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” shall include, but are not limited to, student data, staff data, parent data, metadata, and user or pupil-generated content obtained by reason of the use of Provider’s software, website, service, or app, including mobile apps, whether gathered by Provider or provided by Division or its users, students, or students’ parents/guardians, including “directory information” as defined by §22.1-287.1 of the Code of Virginia“. PII includes, without limitation, at least the following: ● Staff, Student or Parent First, Middle and Last Name ● Staff, Student or Parent Telephone Number(s) ● Discipline Records ● Special Education Data ● Grades ● Criminal Records ● Health Records ● Biometric Information ● Socioeconomic Information ● Political Affiliations ● Text Messages ● Student Identifiers Photos ● Videos ● Grade ● Home Address Subject ● Email Address ● Test Results ● Juvenile Dependency Records Evaluations ● Medical Records ● Social Security Number ● Disabilities ● Food Purchases ● Religious Information Documents ● Search Activity ● Voice Recordings ● Date of Birth ● Classes ● Information in the Student’s Educational Record ● Information in the Student’s Email Provider: For purposes of the DPA, the term “Provider” means provider of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records. Within the DPA the term “Provider” includes the term “Third-Party” and the term “Operator” as used in applicable state statutes.

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  • We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  • Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  • Google Classroom – B (H mandatory) / C / D / I / Class Name  • O – if enabled  • Flagged Browsing content either posted or reviewed on websites MDM  • With SIS integration – A-J and O  • Without SIS integration – only F  • Additional Information from devices using MDM  • Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  • Type of Device  • Version of Operating System Classroom  • With SIS integration – A-J  • Without SIS integration – only F and either H or B  • In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  • Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them.. The Provider’s specific steps to de-identify the data will depend on the circumstances, but should be appropriate to protect students. Some potential disclosure limitation methods are blurring, masking, and perturbation. De-identification should ensure that any information when put together cannot indirectly identify the student, not only from the viewpoint of the public, but also from the vantage of those who are familiar with the individual. Information cannot be de-identified if there are fewer than twenty (20) students in the samples of a particular field or category, i.e., twenty students in a particular grade or less than twenty students with a particular disability. NIST 800-63-3: Draft National Institute of Standards and Technology (“NIST”) Special Publication 800-63-3 Digital Authentication Guideline. In Process Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” shall include, but are not limited to, student data, metadata, and user or pupil-generated content obtained by reason of the use of Provider’s software, website, service, or app, including mobile apps, whether gathered by Provider or provided by LEA or its users, students, or students’ parents/guardians. PII includes, without limitation, at least the following: First Name Home Address Last Name Subject Telephone Number Email Address Discipline Records Test Results Special Education Data Juvenile Dependency Records Grades Evaluations Criminal Records Medical Records Health Records Social Security Number Biometric Information Disabilities Socioeconomic Information Food Purchases Political Affiliations Religious Information Text Messages Documents Student Identifiers Search Activity Photos Voice Recordings Videos Date of Birth Grade Classes General Categories:

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  Google Classroom – B (H mandatory) / C / D / I / Class Name  O – if enabled  Flagged Browsing content either posted or reviewed on websites MDM  With SIS integration – A-J and O  Without SIS integration – only F  Additional Information from devices using MDM  Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  Type of Device  Version of Operating System Classroom  With SIS integration – A-J  Without SIS integration – only F and either H or B  In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them.. The Provider’s specific steps to de-identify the data will depend on the circumstances, but should be appropriate to protect students. Some potential disclosure limitation methods are blurring, masking, and perturbation. De-identification should ensure that any information when put together cannot indirectly identify the student, not only from the viewpoint of the public, but also from the vantage of those who are familiar with the individual. NIST 800-63-3: Draft National Institute of Standards and Technology (“NIST”) Special Publication 800-63-3 Digital Authentication Guideline. Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” shall include, but are not limited to, student data, metadata, and user or pupil-generated content obtained by reason of the use of Provider’s software, website, service, or app, including mobile apps, whether gathered by Provider or provided by LEA or its users, students, or students’ parents/guardians. PII includes, without limitation, at least the following: First Name Home Address Last Name Subject Telephone Number Email Address Discipline Records Test Results Special Education Data Juvenile Dependency Records Grades Evaluations Criminal Records Medical Records Health Records Social Security Number Biometric Information Disabilities Socioeconomic Information Food Purchases Political Affiliations Religious Information Text Messages Documents Student Identifiers Search Activity Photos Voice Recordings Videos Date of Birth Grade Classes Place of birth Social Media Address Unique pupil identifier Credit card account number, insurance account number, and financial services account number Name of the student's parents or other family members General Categories:

SaaS Products.  We use a shared user information database across our SaaS products and features. This includes Mobile Manager, Relay, Launch, Analytics and Classroom. Customers will commonly sync student records to this shared database for classroom specific management capabilities across these products. Customers have full access to and manage this data. Lightspeed Systems employee access to this data is limited to support needs.  • We do not share this information with any 3rd party unless specifically directed by the customer and requiring a signed document from the customer to initiate the sharing. The personal contact information collected by this can include Network Username or Email Address, First and Last Name, School Grade or Year Level, Class or Group Memberships. Relay  • Filter – B (H mandatory) / C / D / I (user or Admin) / K / L / M / GAFE OU / Time on App  • Google Classroom – B (H mandatory) / C / D / I / Class Name  • O – if enabled  • Flagged Browsing content either posted or reviewed on websites MDM  • With SIS integration – A-J and O  • Without SIS integration – only F  • Additional Information from devices using MDM  • Apps distributed to user (Managed by User) or to a particular device (Managed by Device)  • Type of Device  • Version of Operating System Classroom  • With SIS integration – A-J  • Without SIS integration – only F and either H or B  • In addition to the shared SaaS information collected above Classroom Orchestrator may collect screenshots of computer usage that could contain personal information.  • Access to this information is limited to the organization and group admins defined by the customer and when necessary for support reasons can be shared with a Lightspeed Systems employee. EXHIBIT “C” DEFINITIONS De-Identifiable Information (DII): De-Identification refers to the process by which the Vendor removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them.DEFINITIONS