Standard Student Data Privacy Agreement

STANDARD STUDENT DATA PRIVACY AGREEMENT 

MA-ME-NH-RI-VT- NY- NDPA, Standard Version 1.0 

_____________________________

and  

ReachMyTeach LLC

This Student Data Privacy Agreement (“DPA”) is entered into on the date of full execution (the “Effective Date”)  and is entered into by and between:    an LEA  , located at (the “Local Education Agency” or “LEA”) and ReachMyTeach LLC, located at 36 Runnells St., Portland, ME 04103 (the “Provider”). 

 

WHEREAS, the Provider is providing educational or digital services to LEA.  

WHEREAS, the Provider and LEA recognize the need to protect personally identifiable student information  and other regulated data exchanged between them as required by applicable laws and regulations, such as the  Family Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. § 1232g (34 CFR Part 99); the Children’s Online  Privacy Protection Act (“COPPA”) at 15 U.S.C. § 6501-6506 (16 CFR Part 312), applicable state privacy laws and regulations  and 

WHEREAS, the Provider and LEA desire to enter into this DPA for the purpose of establishing their respective  obligations and duties in order to comply with applicable laws and regulations. 

NOW THEREFORE, for good and valuable consideration, LEA and Provider agree as follows: 1. A description of the Services to be provided, the categories of Student Data that may be provided by LEA to Provider, and other information specific to this DPA are contained in the Standard Clauses hereto. 

2. Special Provisions. Check if Required 

• If checked, the Supplemental State Terms and attached hereto as Exhibit “E”  are hereby  incorporated by reference into this DPA in their entirety. 

3. In the event of a conflict between the SDPC Standard Clauses, the State or Special Provisions will control. In the event there is conflict between the terms of the DPA and any other writing, including, but not limited to the Service Agreement and Provider Terms of Service or Privacy Policy the terms of this DPA shall control. 

4. The services to be provided by Provider to LEA pursuant to this DPA are detailed in Exhibit “A” (the “Services”). 

5. Notices. All notices or other communication required or permitted to be given hereunder may be given via e-mail transmission, or first-class mail, sent to the designated representatives below.

The designated representative for the Provider for this DPA is:  

Name: Helen Cohen Title: COO

Address: 36 Runnells Street Portland, ME 04103

Phone: 2076130076 

Email: helen@reachmyteach.com 

STANDARD CLAUSES 

Version 1.0 

ARTICLE I: PURPOSE AND SCOPE 

1. Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. 

2. Student Data to Be Provided. In order to perform the Services described above, LEA shall provide Student Data as identified in the Schedule of Data, attached hereto as Exhibit “B”. 

3. DPA Definitions. The definition of terms used in this DPA is found in Exhibit “C”. In the event of a conflict, definitions used in this DPA shall prevail over terms used in any other writing, including, but not limited to the Service Agreement, Terms of Service, Privacy Policies etc. 

ARTICLE II: DATA OWNERSHIP AND AUTHORIZED ACCESS 

1. Student Data Property of LEA. All Student Data transmitted to the Provider pursuant to the Service Agreement is and will continue to be the property of and under the control of the LEA. The Provider further acknowledges and agrees that all copies of such Student Data transmitted to the Provider, including any modifications or additions or any portion thereof from any source, are subject to the provisions of this DPA in the same manner as the original Student Data. The Parties agree that as between them, all rights, including all intellectual property rights in and to Student Data contemplated per the Service Agreement, shall remain the exclusive property of the LEA. For the purposes of FERPA, the Provider shall be considered a School Official, under the control and direction of the LEA as it pertains to the use of Student Data, notwithstanding the above. 

2. Parent Access. To the extent required by law the LEA shall establish reasonable procedures by which a parent, legal guardian, or eligible student may review Education Records and/or Student Data correct erroneous information, and procedures for the transfer of student-generated content to a personal account, consistent with the functionality of services. Provider shall respond in a reasonably timely manner (and no later than forty five (45) days from the date of the request or pursuant to the time frame required under state law for an LEA to respond to a parent or student, whichever is sooner) to the LEA’s request for Student Data in a student’s records held by the Provider to view or correct as necessary. In the event that a parent of a student or other individual contacts the Provider to review any of the Student Data accessed pursuant to the Services, the Provider shall refer the parent or individual to the LEA, who will follow the necessary and proper procedures regarding the requested information. 

3. Separate Account. If Student-Generated Content is stored or maintained by the Provider, Provider shall, at the request of the LEA, transfer, or provide a mechanism for the LEA to transfer, said Student Generated Content. 

4. Law Enforcement Requests. Should law enforcement or other government entities (“Requesting Party(ies)”) contact Provider with a request for Student Data held by the Provider pursuant to the Services, the Provider shall notify the LEA in advance of a compelled disclosure to the Requesting Party, unless lawfully directed by the Requesting Party not to inform the LEA of the request. 

5. Subprocessors. Provider shall enter into written agreements with all Subprocessors performing functions for the Provider in order for the Provider to provide the Services pursuant to the Service Agreement, whereby the Subprocessors agree to protect Student Data in a manner no less stringent than the terms of this DPA. 

ARTICLE III: DUTIES OF LEA 

1. Provide Data in Compliance with Applicable Laws. LEA shall provide Student Data for the purposes of obtaining the Services in compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. 

2. Annual Notification of Rights. If the LEA has a policy of disclosing Education Records and/or Student Data under FERPA (34 CFR § 99.31(a)(1)), LEA shall include a specification of criteria for determining who constitutes a school official and what constitutes a legitimate educational interest in its annual notification of rights. 

3. Reasonable Precautions. LEA shall take reasonable precautions to secure usernames, passwords, and any other means of gaining access to the services and hosted Student Data. 

4. Unauthorized Access Notification. LEA shall notify Provider promptly of any known unauthorized access. LEA will assist Provider in any efforts by Provider to investigate and respond to any unauthorized access. 

ARTICLE IV: DUTIES OF PROVIDER 

1. Privacy Compliance. The Provider shall comply with all applicable federal, state, and local laws, rules, and regulations pertaining to Student Data privacy and security, all as may be amended from time to time. 

2. Authorized Use. The Student Data shared pursuant to the Service Agreement, including persistent unique identifiers, shall be used for no purpose other than the Services outlined in Exhibit A or stated in the Service Agreement and/or otherwise authorized under the statutes referred to herein this DPA. 

3. Provider Employee Obligation. Provider shall require all of Provider’s employees and agents who have access to Student Data to comply with all applicable provisions of this DPA with respect to the Student Data shared under the Service Agreement. Provider agrees to require and maintain an appropriate confidentiality agreement from each employee or agent with access to Student Data pursuant to the Service Agreement. 

4. No Disclosure. Provider acknowledges and agrees that it shall not make any re-disclosure of any Student Data or any portion thereof, including without limitation, user content or other non-public information and/or personally identifiable information contained in the Student Data other than as directed or permitted by the LEA or this DPA. This prohibition against disclosure shall not apply to aggregate  summaries of De-Identified information, Student Data disclosed pursuant to a lawfully issued subpoena or other legal process, or to sub processors performing services on behalf of the Provider pursuant to this  DPA. Provider will not Sell Student Data to any third party. 

5. De-Identified Data: Provider agrees not to attempt to re-identify de-identified Student Data. De-Identified Data may be used by the Provider for those purposes allowed under FERPA and the following purposes: (1) assisting the LEA or other governmental agencies in conducting research and other studies; and (2) research and development of the Provider's educational sites, services, or applications, and to demonstrate the effectiveness of the Services; and (3) for adaptive learning purpose and for customized student learning. Provider's use of De-Identified Data shall survive termination of this DPA or any request by LEA to return or destroy Student Data. Except for Subprocessors, Provider agrees not to transfer de-identified Student Data to any party unless (a) that party agrees in writing not to attempt re-identification, and (b) prior written notice has been given to the LEA who has provided prior written consent for such transfer. Prior to publishing any document that names the LEA explicitly or indirectly, the Provider shall obtain the LEA’s written approval of the manner in which de-identified data is presented. 

6. Disposition of Data. Upon written request from the LEA, Provider shall dispose of or provide a mechanism for the LEA to transfer Student Data obtained under the Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of this DPA, if no written request from the LEA is received, Provider shall dispose of all Student Data after providing the LEA with reasonable prior notice. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3. The LEA may employ a “Directive for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior to the disposition of Student Data described in Exhibit “D. 

7. Advertising Limitations. Provider is prohibited from using, disclosing, or selling Student Data to (a) inform, influence, or enable Targeted Advertising; or (b) develop a profile of a student, family member/guardian or group, for any purpose other than providing the Service to LEA. This section does not prohibit Provider from using Student Data (i) for adaptive learning or customized student learning (including generating personalized learning recommendations); or (ii) to make product recommendations to teachers or LEA employees; or (iii) to notify account holders about new education product updates, features, or services or from otherwise using Student Data as permitted in this DPA and its accompanying exhibits 

ARTICLE V: DATA PROVISIONS 

1. Data Storage. Where required by applicable law, Student Data shall be stored within the United States. Upon request of the LEA, Provider will provide a list of the locations where Student Data is stored. 

2. Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the LEA to audit the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA . The Provider will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider  and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s  facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery  of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach of the DPA. 

3. Data Security. The Provider agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. The Provider shall adhere to any applicable law relating to data security. Exclusions, variations, or exemptions to the identified Cybersecurity Framework must be detailed in an attachment. Provider shall provide, in the Standard Schedule to the DPA, contact information of an employee who LEA may contact if there are any data security concerns or questions. 

4. Data Breach. In the event of an unauthorized release, disclosure or acquisition of Student Data that compromises the security, confidentiality or integrity of the Student Data maintained by the Provider the Provider shall provide notification to LEA within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident. Provider shall follow the following process: 

(1) The security breach notification described above shall include, at a minimum, the following information to the extent known by the Provider and as it becomes available: 

i. The name and contact information of the reporting LEA subject to this section. 

ii. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. 

iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. 

iv. Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; and 

v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. 

(2) Provider agrees to adhere to all federal and state requirements with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. 

(3) Provider further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary of said written incident response plan. 

(4) LEA shall provide notice and facts surrounding the breach to the affected students, parents or guardians. 

(5) In the event of a breach originating from LEA’s use of the Service, Provider shall cooperate with LEA to the extent necessary to expeditiously secure Student Data. 

 

ARTICLE VI: MISCELLANEOUS 

1. Termination. In the event that either Party seeks to terminate this DPA, they may do so by mutual written consent so long as the Service Agreement has lapsed or has been terminated. Either party may terminate this DPA and any service agreement or contract if the other party breaches any terms of this DPA. 

2. Effect of Termination Survival. If the Service Agreement is terminated, the Provider shall destroy all of LEA’s Student Data pursuant to Article IV, section 6. 

3. Priority of Agreements. This DPA shall govern the treatment of Student Data in order to comply with the privacy protections, including those found in FERPA and all applicable privacy statutes identified in this DPA. In the event there is conflict between the terms of the DPA and the Service Agreement, Terms of Service, Privacy Policies, or with any other bid/RFP, license agreement, or writing, the terms of this DPA shall apply and take precedence. In the event of a conflict between the SDPC Standard Clauses and the Supplemental State Terms, the Supplemental State Terms will control. Except as described in this paragraph herein, all other provisions of the Service Agreement shall remain in effect. 

4. Entire Agreement. This DPA and the Service Agreement constitute the entire agreement of the Parties relating to the subject matter hereof and supersedes all prior communications, representations, or agreements, oral or written, by the Parties relating thereto. This DPA may be amended and the observance of any provision of this DPA may be waived (either generally or in any particular instance and either retroactively or prospectively) only with the signed written consent of both Parties. Neither failure nor delay on the part of any Party in exercising any right, power, or privilege hereunder shall operate as a waiver of such right, nor shall any single or partial exercise of any such right, power, or privilege preclude any further exercise thereof or the exercise of any other right, power, or privilege.

5. Severability. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the Parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this DPA or affecting the validity or enforceability of such provision in any other jurisdiction. 

6. Governing Law; Venue and Jurisdiction. THIS DPA WILL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF THE LEA, WITHOUT REGARD TO CONFLICTS OF LAW PRINCIPLES. EACH PARTY CONSENTS AND SUBMITS TO THE SOLE AND EXCLUSIVE JURISDICTION TO THE STATE AND FEDERAL COURTS FOR THE COUNTY OF THE LEA FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS DPA OR THE TRANSACTIONS CONTEMPLATED HEREBY. 

7. Successors Bound: This DPA is and shall be binding upon the respective successors in interest to Provider in the event of a merger, acquisition, consolidation or other business reorganization or sale of all or substantially all of the assets of such business. In the event that the Provider sells, merges, or otherwise disposes of its business to a successor during the term of this DPA, the Provider shall provide written notice to the LEA no later than sixty (60) days after the closing date of sale, merger, or disposal. Such notice shall include a written, signed assurance that the successor will assume the obligations of the DPA and any obligations with respect to Student Data within the Service Agreement. The LEA has the authority to terminate the DPA if it disapproves of the successor to whom the Provider is selling, merging, or otherwise disposing of its business. 

8. Authority. Each party represents that it is authorized to bind to the terms of this DPA, including confidentiality and destruction of Student Data and any portion thereof contained therein, all related or associated institutions, individuals, employees or contractors who may have access to the Student Data and/or any portion thereof. 

9. Waiver. No delay or omission by either party to exercise any right hereunder shall be construed as a waiver of any such right and both parties reserve the right to exercise any such right from time to time, as often as may be deemed expedient.

EXHIBIT “A” 

DESCRIPTION OF SERVICES 

 

ReachMyTeach, is a communication platform. Through ReachMyTeach authorized users can communicate with authorized recipients over email, text, WhatsApp, voice, and video. ReachMyTeach uses provided data to seamlessly translate messages as needed. ReachMyTeach provides written translation for 130 languages, and offers a more limited range of languages for text-to-speech. ReachMyTeach also supports translation of PDFs up to 7,000 characters. ReachMyTeach supports access to on-demand and scheduled video interpreters and district wide messaging if an LEA approves usage of these features.

EXHIBIT “B”  

SCHEDULE OF DATA

 

 

EXHIBIT “C” 

DEFINITIONS 

De-Identified Data and De-Identification: Records and information are considered to be de-identified when all  personally identifiable information has been removed or obscured, such that the remaining information does not  reasonably identify a specific individual, including, but not limited to, any information that, alone or in  combination is linkable to a specific student and provided that the educational agency, or other party, has made  a reasonable determination that a student’s identity is not personally identifiable, taking into account reasonable  available information. 

Educational Records: Educational Records are records, files, documents, and other materials directly related to a  student and maintained by the school or local education agency, or by a person acting for such school or local  education agency, including but not limited to, records encompassing all the material kept in the student’s  cumulative folder, such as general identifying data, records of attendance and of academic work completed,  records of achievement, and results of evaluative tests, health data, disciplinary status, test protocols and  individualized education programs.  

Metadata: means information that provides meaning and context to other data being collected; including, but not  limited to: date and time records and purpose of creation Metadata that have been stripped of all direct and  indirect identifiers are not considered Personally Identifiable Information. 

Operator: means the operator of an internet website, online service, online application, or mobile application with  actual knowledge that the site, service, or application is used for K–12 school purposes. Any entity that operates  an internet website, online service, online application, or mobile application that has entered into a signed, written  agreement with an LEA to provide a service to that LEA shall be considered an “operator” for the purposes of this  section.  

Originating LEA: An LEA who originally executes the DPA in its entirety with the Provider. 

Provider: For purposes of the DPA, the term “Provider” means provider of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of Student Data. Within the DPA  the term “Provider” includes the term “Third Party” and the term “Operator” as used in applicable state statutes. 

Student Generated Content: The term “student-generated content” means materials or content created by a  student in the services including, but not limited to, essays, research reports, portfolios, creative writing, music or  other audio files, photographs, videos, and account information that enables ongoing ownership of student content.  

School Official: For the purposes of this DPA and pursuant to 34 CFR § 99.31(b), a School Official is a contractor  that: (1) Performs an institutional service or function for which the agency or institution would otherwise use  employees; (2) Is under the direct control of the agency or institution with respect to the use and maintenance of  Student Data including Education Records; and (3) Is subject to 34 CFR § 99.33(a) governing the use and re disclosure of personally identifiable information from Education Records.  

Service Agreement: Refers to the Contract, Purchase Order or Terms of Service or Terms of Use.

Student Data: Student Data includes any data, whether gathered by Provider or provided by LEA or its users,  students, or students’ parents/guardians, that is descriptive of the student including, but not limited to,  information in the student’s educational record or email, first and last name, birthdate, home or other physical  address, telephone number, email address, or other information allowing physical or online contact, discipline  records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal  records, medical records, health records, social security numbers, biometric information, disabilities,  socioeconomic information, individual purchasing behavior or preferences, food purchases, political affiliations,  religious information, text messages, documents, student identifiers, search activity, photos, voice recordings,geolocation information, parents’ names, or any other information or identification number that would provide  information about a specific student. Student Data includes Meta Data. Student Data further includes “personally  identifiable information (PII),” as defined in 34 C.F.R. § 99.3 and as defined under any applicable state law. Student  Data shall constitute Education Records for the purposes of this DPA, and for the purposes of federal, state, and  local laws and regulations. Student Data as specified in Exhibit “B” is confirmed to be collected or processed by  the Provider pursuant to the Services. Student Data shall not constitute that information that has been  anonymized or de-identified, or anonymous usage data regarding a student’s use of Provider’s services.  

Subprocessor: For the purposes of this DPA, the term “Subprocessor” (sometimes referred to as the  “Subcontractor”) means a party other than LEA or Provider, who Provider uses for data collection, analytics,  storage, or other service to operate and/or improve its service, and who has access to Student Data. 

Subscribing LEA: An LEA that was not party to the original Service Agreement and who accepts the Provider’s  General Offer of Privacy Terms. 

Targeted Advertising: means presenting an advertisement to a student where the selection of the advertisement  is based on Student Data or inferred over time from the usage of the operator's Internet web site, online service  or mobile application by such student or the retention of such student's online activities or requests over time for  the purpose of targeting subsequent advertisements. "Targeted advertising" does not include any advertising to  a student on an Internet web site based on the content of the web page or in response to a student's response or  request for information or feedback. 

Third Party: The term “Third Party” means a provider of digital educational software or services, including cloud based services, for the digital storage, management, and retrieval of Education Records and/or Student Data, as  that term is used in some state statutes. However, for the purpose of this DPA, the term “Third Party” when used  to indicate the provider of digital educational software or services is replaced by the term “Provider.”

EXHIBIT “D” 

DIRECTIVE FOR DISPOSITION OF DATA 

[LEA                                           ] Provider to dispose of data obtained by Provider pursuant to the terms of the  Service Agreement between LEA and Provider. The terms of the Disposition are set forth below: 

1. Extent of Disposition 

_____ Disposition is partial. The categories of data to be disposed of are set forth below or are found in  an attachment to this Directive: 

[Insert categories of data here] 

_____ Disposition is Complete. Disposition extends to all categories of data. 

2. Nature of Disposition 

_____ Disposition shall be by destruction or deletion of data. 

_____ Disposition shall be by a transfer of data. The data shall be transferred to the following site as  follows: 

[Insert or attach special instructions] 

3. Schedule of Disposition 

Data shall be disposed of by the following date: 

_____ As soon as commercially practicable. 

_____ By [Insert Date] 

Exhibit E

California

ReachMyTeach agrees that, as per Cal. Edu. Code § 49073.1, commonly known as AB 1584:

1. pupil records continue to be the property of and under the control of the local educational agency;
2. ReachMyTeach will not use personally identifiable information in individual pupil records for commercial or advertising purposes;
3. ReachMyTeach will not use any information in the pupil record for any purpose other than for the requirements of the contract;
4. Parents, legal guardians or eligible pupils may review the pupil’s records or correct erroneous information in those records by accessing the ReachMyTeach account of the pupil;
5. ReachMyTeach undertakes extensive security training of all employees, including training on security at hire and at least annually thereafter. A, and partial, but not exhaustive description of our data security practices can be provided upon request.
6. ReachMyTeach will comply with the requirements of California law, as set forth at Cal. Civ. Code § 1792.82 et seq., for informing affected parties in the event of an unauthorized disclosure of pupil records;
7. pupil records will neither be retained nor will ReachMyTeach maintain those records in a manner that makes them available (a) upon completion of the terms of the contract; (b) after request for deletion by the contracting party; and, (c) within a commercially reasonable period for deletion; and,
8. at all times during the pendency of any contract between ReachMyTeach and a local educational agency (LEA), ReachMyTeach acts solely as a “school official” as that term is defined in the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), and will, therefore, facilitate the LEA’s compliance with FERPA as directed by the LEA.

EXHIBIT “E” 

Massachusetts 

 

WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject  to several state laws in Massachusetts. Specifically, those laws are 603 C.M.R. 23.00, Massachusetts General Law,  Chapter 71, Sections 34D to 34H and 603 CMR 28.00; and 

WHEREAS, the Parties wish to enter into these supplemental terms to the DPA to ensure that the Services  provided conform to the requirements of the privacy laws referred to above and to establish implementing  procedures and duties;  

WHEREAS, the Parties wish these terms to be hereby incorporated by reference into the DPA in their entirety for  Massachusetts; 

NOW THEREFORE, for good and valuable consideration, the parties agree as follows: 

1. In Article IV, Section 2, replace “otherwise authorized,” with “otherwise required” and delete “or stated in the Service Agreement.” 

2. All employees of the Provider who will have direct contact with students shall pass criminal background checks. 

3. In Article V, Section 1 Data Storage: Massachusetts does not require data to be stored within the United States.

 

EXHIBIT “E” 

Maine 

WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject  to several state laws in Maine. Specifically, those laws are 20-A M.R.S. §6001-6005.; 20-A M.R.S. §951 et. seq.,  Maine Unified Special Education Regulations, Maine Dep’t of Edu. Rule Ch. 101; and 

WHEREAS, the Parties wish to enter into these supplemental terms to the DPA to ensure that the Services  provided conform to the requirements of the privacy laws referred to above and to establish implementing  procedures and duties;  

WHEREAS, the Parties wish these terms to be hereby incorporated by reference into the DPA in their entirety for  Maine; 

NOW THEREFORE, for good and valuable consideration, the parties agree as follows: 

1. In Article IV, Section 2, replace “otherwise authorized,” with “otherwise required” and delete “or stated in the Service Agreement.” 

2. All employees of the Provider who will have direct contact with students shall pass criminal background checks. 

3. In Article V, Section 1 Data Storage: Maine does not require data to be stored within the United States. 4. The Provider may not publish on the Internet or provide for publication on the Internet any Student Data. 

5. If the Provider collects student social security numbers, the Provider shall notify the LEA of the purpose the social security number will be used and provide an opportunity not to provide a social security number if the parent and/or student elects. 

6. The parties agree that the definition of Student Data in Exhibit “C” includes the name of the student’s family members, the student’s place of birth, the student’s mother’s maiden name, results of assessments administered by the State, LEA or teacher, including participating information, course transcript information, including, but not limited to, courses taken and completed, course grades and grade point average, credits earned and degree, diploma, credential attainment or other school exit information, attendance and mobility information between and within LEAs within Maine, student's gender, race and ethnicity, educational program participation information required by state or federal law and email. 

7. The parties agree that the definition of Student Data in Exhibit “C” includes information that: a. Is created by a student or the student's parent or provided to an employee or agent of the LEA or a Provider in the course of the student's or parent's use of the Provider’s website, service or application for kindergarten to grade 12 school purposes; 

b. Is created or provided by an employee or agent of the LEA, including information provided to the Provider in the course of the employee's or agent's use of the Provider’s website, service or application for kindergarten to grade 12 school purposes; or 

c. Is gathered by the Provider through the operation of the Provider’s website, service or application for kindergarten to grade 12 school purposes.

 

EXHIBIT “E” 

Rhode Island 

WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject  to several state laws in Rhode Island. Specifically, those laws are R.I.G.L. 16-71-1, et. seq., R.I.G.L. 16-104-1, and  R.I.G.L., 11-49.3 et. seq.; and 

WHEREAS, the Parties wish to enter into these supplemental terms to the DPA to ensure that the Services  provided conform to the requirements of the privacy laws referred to above and to establish implementing  procedures and duties;  

WHEREAS, the Parties wish these terms to be hereby incorporated by reference into the DPA in their entirety for  Rhode Island; 

NOW THEREFORE, for good and valuable consideration, the parties agree as follows: 

1. In Article IV, Section 2, replace “otherwise authorized,” with “otherwise required” and delete “or stated in the Service Agreement.” 

2. All employees of the Provider who will have direct contact with students shall pass criminal background checks. 

3. In Article V, Section 1 Data Storage: Rhode Island does not require data to be stored within the United States. 

4. The Provider agrees that this DPA serves as its written certification of its compliance with R.I.G.L. 16- 104-1. 

5. The Provider agrees to implement and maintain a risk-based information security program that contains reasonable security procedures. 

6. In the case of a data breach, as a part of the security breach notification outlined in Article V, Section 4(1), the Provider agrees to provide the following additional information: 

i. Information about what the Provider has done to protect individuals whose information has been breached, including toll free numbers and websites to contact: 

1. The credit reporting agencies 

2. Remediation service providers 

3. The attorney general 

ii. Advice on steps that the person whose information has been breached may take to protect himself or herself. 

iii. A clear and concise description of the affected parent, legal guardian, staff member, or eligible student’s ability to file or obtain a police report; how an affected parent, legal guardian, staff member, or eligible student’s requests a security freeze and the 

necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.

 

EXHIBIT “E” 

Vermont 

WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject  to several state laws in Vermont. Specifically, those laws are 9 VSA 2443 to 2443f; 16 VSA 1321 to 1324; and 

WHEREAS, the Parties wish to enter into these supplemental terms to the DPA to ensure that the Services  provided conform to the requirements of the privacy laws referred to above and to establish implementing  procedures and duties;  

WHEREAS, the Parties wish these terms to be hereby incorporated by reference into the DPA in their entirety for  Vermont; 

NOW THEREFORE, for good and valuable consideration, the parties agree as follows: 

1. In Article IV, Section 2, replace “otherwise authorized,” with “otherwise required” and delete “or stated in the Service Agreement.” 

2. All employees of the Provider who will have direct contact with students shall pass criminal background checks. 

3. In Article V, Section 1 Data Storage: Vermont does not require data to be stored within the United States.

EXHIBIT “E”

New York

ReachMyTeach’s Data Security and Privacy Plan:

 

New York State Education Law Section 2-d was enacted in 2014 to address concerns relative to securing certain personally identifiable information. In order to comply with the requirements of Education Law Section 2-d, ReachMyTeach LLC (“ReachMyTeach”) hereby establishes the following data security and privacy plan:

 

ReachMyTeach will treat “Protected Data” (as defined below) as confidential and shall protect the nature of the Protected Data by using the same degree of care, but not less than a reasonable degree of care, as it uses to protect its own confidential data, so as to prevent the unauthorized dissemination or publication of Protected Data to third parties. ReachMyTeach shall not disclose Protected Data other than to those of its employees or agents who have a need to know such Protected Data under this Agreement. ReachMyTeach shall not use Protected Data for any other purposes than those explicitly provided for in its agreement with the disclosing party from which it received Protected Data. All Protected Data shall remain the property of the disclosing party. As more fully discussed below, ReachMyTeach shall have in place sufficient internal controls to ensure that Protected Data is safeguarded in accordance with all applicable laws and regulations.

 

“Protected Data” includes any information rendered confidential by State or Federal law, including, but not limited to student data, student demographics, scheduling, attendance, grades, health and discipline tracking, and all other data reasonably considered to be sensitive or confidential data by a customer. Protected Data also includes any information protected under Education Law 2-d including, but not limited to: “Personally identifiable information” from student records of an educational agency as that term is defined in §99.3 of the Family Educational Rights and Privacy Act (FERPA),

 

-AND-

 

Personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law 3012-c. Parents have the right to inspect and review the complete contents of their child’s education record that is shared with or collected by TalkingPoints;

 

State, Federal, and local data security and privacy contract requirements will be implemented by utilizing best practices and industry standards with respect to data storage, privacy and protection, including, but not limited to encryption, firewalls, passwords, protection of off-site records, and limitations of access to stored data to authorized staff shall be implemented as follows:

 

Encryption: Private Data is protected by industry-standard encryption, and can only be accessed by authorized individuals. 

 

Subsystem Organization: ReachMyTeach’s platform is a system comprised of several subsystems, each with different roles and capacities. One of the primary reasons for utilizing multiple subsystems is to create a separation between systems that potentially interact with Private Data and systems that do not. This architecture reduces the likelihood and minimizes damage caused by any potential data breaches.

 

Secured Hosting: All of ReachMyTeach's systems are hosted by industry-leading vendors with proven track records of reliability and security.

 

Data Back Up & Failure Detection: All data storage is securely redundant, with key systems backed up on a daily basis.  Monitoring and alarms are set at all potential sites of failure throughout the subsystems to detect and help us get on top of any problems quickly.

 

Measures to secure Protected Data and to limit access to such data to authorized staff will include:

 

Password & Authentication Standards: In order to minimize the impact of any potential data breach, ReachMyTeach only allows users to login with a secure link or through approved SSO.

 

Limitation of Staff Access: Protected Data will be limited to every extent possible when such information is not necessary to the staff member’s job requirements.

 

Subcontractors, persons or entities with which ReachMyTeach will share Protected Data, if any, will abide by the requirements of this data security and privacy plan, and any contractual obligations with respect to Protected Data set forth in the agreement with the disclosing party.

 

Internal access to Protected Data shall be limited to those individuals that are determined to have legitimate educational interests.

 

Protected Data shall not be used for any other purposes than those explicitly authorized by contract with an educational agency.

 

Protected Data shall not be re-disclosed to any third-party (i) without the prior written consent of the school who has retained permission by the guardian or student; or (ii) unless required by statute or court order and the party provides a notice of the disclosure to the New York State Education Department, educational agency, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;

 

Reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of Protected Data shall be maintained.

EXHIBIT “E” 

New Hampshire 

WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject  to several state laws in New Hampshire. Specifically, those laws are RSA 189:1-e and 189:65-68-a; RSA 186; NH  Admin. Code Ed. 300 and NH Admin. Code Ed. 1100; and 

WHEREAS, the Parties wish to enter into these supplemental terms to the DPA to ensure that the Services  provided conform to the requirements of the privacy laws referred to above and to establish implementing  procedures and duties;  

WHEREAS, the Parties wish these terms to be hereby incorporated by reference into the DPA in their entirety for  New Hampshire; 

NOW THEREFORE, for good and valuable consideration, the parties agree as follows: 

1. All references in the DPA to “Student Data” shall be amended to state “Student Data and Teacher Data.”  “Teacher Data” is defined as at least the following: 

Social security number. 

Date of birth. 

Personal street address. 

Personal email address. 

Personal telephone number 

Performance evaluations. 

 

Other information that, alone or in combination, is linked or linkable to a specific teacher, paraprofessional,  principal, or administrator that would allow a reasonable person in the school community, who does not have  personal knowledge of the relevant circumstances, to identify any with reasonable certainty. 

 

Information requested by a person who the department reasonably believes or knows the identity of the  teacher, paraprofessional, principal, or administrator to whom the education record relates. 

 

“Teacher” means teachers, paraprofessionals, principals, school employees, contractors, and other  administrators. 

 

2. In order to perform the Services described in the DPA, the LEA shall provide the categories of Teacher Data  described in the Schedule of Data, attached hereto as Exhibit “I”. 

3. In Article IV, Section 2, replace “otherwise authorized,” with “otherwise required” and delete “or stated in  the Service Agreement.”  

4. In Article IV, Section 7 amend each reference to “students,” to state: “students, teachers,…” 5. All employees of the Provider who will have direct contact with students shall pass criminal background  checks. 

6. Provider is prohibited from leasing, renting, or trading Student Data or Teacher Data to (a) market or  advertise to students, teachers, or families/guardians; (b) inform, influence, or enable marketing, advertising  or other commercial efforts by a Provider; (c) develop a profile of a student, teacher, family  member/guardian or group, for any commercial purpose other than providing the Service to LEA; or (d) use  the Student Data and Teacher Data for the development of commercial products or services, other than as  necessary to provide the Service to the LEA. This section does not prohibit Provider from using Student Data  and Teacher Data for adaptive learning or customized student learning purposes. 

7. The Provider agrees to the following privacy and security standards. Specifically, the Provider agrees to:  

(1) Limit system access to the types of transactions and functions that authorized users, such as  students, parents, and LEA are permitted to execute;  

(2) Limit unsuccessful login attempts;  

(3) Employ cryptographic mechanisms to protect the confidentiality of remote access sessions;  

(4) Authorize wireless access prior to allowing such connections;  

(5) Create and retain system audit logs and records to the extent needed to enable the  monitoring, analysis, investigation, and reporting of unlawful or unauthorized system  activity;  

(6) Ensure that the actions of individual system users can be uniquely traced to those users so  they can be held accountable for their actions;  

(7) Establish and maintain baseline configurations and inventories of organizational systems  (including hardware, software, firmware, and documentation) throughout the respective  system development life cycles;  

(8) Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols,  and services;  

(9) Enforce a minimum password complexity and change of characters when new passwords  are created;  

(10)Perform maintenance on organizational systems;  

(11)Provide controls on the tools, techniques, mechanisms, and personnel used to conduct  system maintenance;  

(12)Ensure equipment removed for off-site maintenance is sanitized of any Student Data or  Teacher Data in accordance with NIST SP 800-88 Revision 1;  

(13)Protect (i.e., physically control and securely store) system media containing Student Data or  Teacher Data, both paper and digital;  

(14)Sanitize or destroy system media containing Student Data or Teacher Data in accordance  with NIST SP 800-88 Revision 1 before disposal or release for reuse;  

(15)Control access to media containing Student Data or Teacher Data and maintain  

accountability for media during transport outside of controlled areas;  

(16)Periodically assess the security controls in organizational systems to determine if the  controls are effective in their application and develop and implement plans of action  designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational  systems;  

(17)Monitor, control, and protect communications (i.e., information transmitted or received by  organizational systems) at the external boundaries and key internal boundaries of  

organizational systems;  

(18)Deny network communications traffic by default and allow network communications traffic  by exception (i.e., deny all, permit by exception);  

(19)Protect the confidentiality of Student Data and Teacher Data at rest;  

(20)Identify, report, and correct system flaws in a timely manner;  

(21)Provide protection from malicious code (i.e. Antivirus and Antimalware) at designated  locations within organizational systems;  

(22)Monitor system security alerts and advisories and take action in response; and  (23)Update malicious code protection mechanisms when new releases are available.  

Alternatively, the Provider agrees to comply with one of the following standards: (1) NIST SP 800-171 rev 2,  Basic and Derived Requirements; (2) NIST SP 800-53 rev 4 or newer, Low Impact Baseline or higher; (3) FedRAMP  (Federal Risk and Authorization Management Program); (4) ISO/IEC 27001:2013; (5) Center for Internet Security  (CIS) Controls, v. 7.1, Implementation Group 1 or higher; (6) AICPA System and Organization Controls (SOC) 2,  Type 2; and (7) Payment Card Industry Data Security Standard (PCI DSS), v3.2.1. The Provider will provide to the  LEA on an annual basis and upon written request demonstration of successful certification of these alternative  standards in the form of a national or international Certification document; an Authorization to Operate (ATO)  issued by a state or federal agency, or by a recognized security standards body; or a Preliminary Authorization to  Operate (PATO) issued by the FedRAMP Joint Authorization Board (JAB).  

 

8. In the case of a data breach, as a part of the security breach notification outlined in Article V, Section 4(1),  the Provider agrees to provide the following additional information:  

i. The estimated number of students and teachers affected by the breach, if any. 

 

9. The parties agree to add the following categories into the definition of Student Data: the name of the  student's parents or other family members, place of birth, social media address, unique pupil identifier, and  credit card account number, insurance account number, and financial services account number.  

 

10. In Article V, Section 1 Data Storage: New Hampshire does not require data to be stored within the United  States.