We know you need to have us sign data agreements. To speed the process (because we get hundreds of these), please check that your agreements align to these criteria that must be met for us to sign.

Data storage location

We will accept United States. CONUS is not an acceptable limitation. 

Deletion on expiration:

This language is the correct language to include. We put all the power in your hands. The agreement shall state that you have the first obligation of action to protect your data:

If you use a Student Data Privacy Alliance form document, although we will accept the language as written, please understand that the process for deletion is that you can use our self-help tools without sending us an Exhibit D. If you do send Exhibit D we will provide you with customer service support to use the self-help tools, after which we can provide certification.

Upon termination of the Agreement, District shall use the tools provided to it by Contractor to export and securely delete all confidential information provided to Contractor. If for some reason District is not able to avail itself of the self-help tools provided, it may contact Contractor to delete confidential information. Contractor will automatically delete confidential information on expired accounts pursuant to the Deletion schedule in its Privacy Policy. Deletion is irreversible and unrecoverable.


Rather than create a complicated permissions process that slows down your teaching and our business, we prefer the following clause for a successor in interest:

In the event the Contractor merges with or is acquired by another entity, the Contractor may assign the agreement provided the successor in interest agrees to accept the terms of the Agreement.  Contractor will notify District of transfer where District has provided a person or email address to whom Contractor can send notice. 

A merger or sale of all or substantially all of the assets of the Contractor to a third party who agrees to abide by the terms and conditions of this agreement shall not be deemed a sale, use or disclosure of the personally identifiable information.


We can agree to something very similar to the below language. We have carefully selected our cloud-services vendors. It is not feasible to require them the sign and agree to be bound by the terms of every DPA we sign and we will not sign any agreement that requires us to ask all subprocessors to sign on to the terms of the DPA. We accept our responsibility for managing them and this language captures our commitment. 

Vendor shall ensure that each subprocessor with whom it shares Student Data and/or Teacher or Principal Data are contractually bound by a written agreement that (a) that includes obligations of confidentiality equivalent to, consistent with, and no less protective than those found in this agreement, or (b) are engaged under a contract under which they agree that they have no right of access to Vendor's data stored in the subprocessors' cloud-based services.

Buyer hereby consents to delegation of obligations necessary to Seller's operations to the subprocessors listed in Seller's Subprocessor Disclosure at Boom Cards (boomlearning.com).

Data Backups 

We back up data daily.  We cannot agree to terms requiring continuous backup.

Breach Reimbursements and Responsibilities and Indemnifications

We can agree to assist you with any breach. We will not agree to any reimbursement or notification requirement that is not limited to our conduct. Districts are responsible for the conduct of their employees. We will look for limitations such as "acts or omissions of the Vendor, or its officers, agents, subcontractors or employees." Failure to include such a limitation will result in us asking for a change. Here is an example of acceptable language:

Where a Breach of PII occurs that is attributable to Vendor, Vendor shall pay for or promptly reimburse the District for the full cost of the District’s notification to affected persons and/or their parents or guardian.

Breach Notification Timelines

For operational simplicity, we require a breach notification window of 7 days. This is the most commonly requested window by our customers. We have thousands of customers so we need a standardized timeline. We will only agree to a shorter timeline if you have a statutory requirement of a shorter timeline. Given that the risk to students is exposure of an email address or username (remember passwords are encrypted), this is entirely reasonable.

Thorough investigation of a data breach requires at least 7 days. Any report possible in less time will be cursory. 

Direct Breach Notification

Because of our privacy by design, we do not have any contact information for parents or legal guardians (data you don't have cannot be breached). For students, we often only have a username and nickname (which can be a pseudonym). If you use an OAuth service, we may have a school student email address. As a result, Rwe cannot provide direct breach notification to parents or legal guardians or most students. We can provide you with a notification statement that you can forward to families.


We operate entirely offsite, we do not interact with students, and as stated above, the only identifying student data is a username or email address. Accordingly, we have General Liability, Hired/Non-Owned Auto Liability, and $1 million Cyberliability insurance. Please see the attached Exhibit A: Summary of Insurance.    

Intellectual Property Terms

We cannot modify the IP terms in our Terms of Service. We will reject any language that attempts to modify those terms. Those terms are carefully crafted to meet your needs and ours. Without them, you cannot use our product legally.

Entire Agreement Clauses

We cannot accept any entire agreement clause that overrides the entirety of our Terms of Service and Privacy Policy. We can agree to addendums that supersede select portions.

Any conflict or inconsistency among the components of this Contract shall be resolved by giving precedence in the following order:  (1st) this Agreement, (2nd) Vendor’s Privacy Policy and (3rd) Vendor’s Terms of Service and (4th)Vendor's Bid.

New York Section 2d

We extend the protections and elements of our New York Section 2-d Data and Security Plan to all users. We encourage you to incorporate that rather than reinventing the wheel where it meets your needs.


We provide self-help FAQ's and video training for Board/District/School employees.  Upon request by the Board/District/School, and subject to consent which may be withheld, we may provide remote live training at the expense of the Board/District/School, subject to our standard training.