Continuing Obligations The rights and obligations of the Parties that, by their nature, would continue beyond the expiration or termination of this Agreement, e.g., "Liability and Risk of Loss" and "Intellectual Property Rights"-related clauses shall survive such expiration or termination of this Agreement.
Additional Statutory and Regulatory Obligations Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy, or other binding obligations relating to data privacy and security contained in the Master Agreement and this Exhibit. (j) To cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.