We know you need to have us sign data agreements. To speed up the process (because we get hundreds of these), please check that your agreements align with these criteria that must be met for us to sign.
Data storage location
We will accept the United States. CONUS is not an acceptable limitation.
Deletion on expiration
We provide self-help tools for you to delete students. Teachers can delete their own accounts. Schools can contact us to release or delete a teacher account. Schools can self-help to reassign accounts.
We can accept any language regarding deletion that takes into account that the school has an active role in deletion, such as making a request or requesting certification of deletion. We prefer language that allows us to delete automatically according to the schedule in our Information Security Plan. If you request a shorter timeline and do not engage in self-help, you will need to contact us to indicate we need to take action. We assume that if we are discussing renewal that we should not manually delete accounts on your behalf without an instruction. In general, we only perform deletion directly if circumstances prevent you from using self-help.
Rather than create a complicated permissions process that slows down your teaching and our business, we prefer the following clause for a successor in interest:
In the event the Contractor merges with or is acquired by another entity, the Contractor may assign the agreement provided the successor in interest agrees to accept the terms of the Agreement. The Contractor will notify the District of the transfer where the District has provided a person or email address to whom Contractor can send the notice. A merger or sale of all or substantially all of the assets of the Contractor to a third party who agrees to abide by the terms and conditions of this agreement shall not be deemed a sale, use, or disclosure of the personally identifiable information.
We can agree to something very similar to the below language. We have carefully selected our cloud services vendors. It is not feasible to require them the sign and agree to be bound by the terms of every DPA we sign and we will not sign any agreement that requires us to ask all subprocessors to sign on to the terms of the DPA. We accept our responsibility for managing them and this language captures our commitment.
The Contractor shall ensure that each subprocessor with whom it shares Student Data and/or Teacher or Principal Data are contractually bound by a written agreement (a) that includes obligations of confidentiality equivalent to, consistent with, and no less protective than those found in this agreement all of the components of applicable state and federal law, including New York Education Law Section 2-d, the School District’s Parents’ Bill of Rights, and the federal Family Educational Rights and Privacy Act (“FERPA”), or (b) are engaged under a contract under which they agree that they have no right of access to the Contractor's data stored in the subprocessors' cloud-based services.
Buyer hereby consents to the delegation of obligations necessary to Seller's operations to the subprocessors listed in Seller's Subprocessor Disclosure.
We back up data daily. We cannot agree to terms requiring continuous backup.
Breach Reimbursements and Responsibilities and Indemnifications
We can agree to assist you with any breach. We will not agree to any reimbursement or notification requirement that is not limited to our conduct. Districts are responsible for the conduct of their employees. We will look for limitations such as "acts or omissions of the Vendor, or its officers, agents, subcontractors or employees." Failure to include such a limitation will result in us asking for a change. Here is an example of acceptable language:
Where a Breach of PII occurs that is attributable to the Contractor, the Contractor shall pay for or promptly reimburse the District for the full cost of the District’s notification to affected persons and/or their parents or guardian.
Breach Notification Timelines
For operational simplicity, we require a breach notification window of 7 days. This is the most commonly requested window by our customers. We have thousands of customers so we need a standardized timeline. We will only agree to a shorter timeline if you have a statutory requirement for a shorter timeline. Given that the risk to students is exposure of an email address or username (remember passwords are encrypted), this is entirely reasonable. A thorough investigation of a data breach requires 3 to 7 days. Any report required to be made in less time will be cursory and incomplete.
Direct Breach Notification
Because of our privacy by design, we do not have any contact information for parents or legal guardians (data you don't have cannot be breached). For students, we often only have a username and nickname (which can be a pseudonym). If you use an OAuth service, we may have a school student email address. As a result, we cannot provide direct breach notification to parents or legal guardians, or most students. We can provide you with a notification statement that you can forward to families.
We operate entirely offsite; we do not interact with students. We have General Liability, Hired/Non-Owned Auto Liability, and $3 million cyberliability insurance.
Intellectual Property Terms
We cannot modify the IP terms in our Terms of Service. We will reject any language that attempts to modify those terms. Those terms are carefully crafted to meet your needs and ours. Without them, you cannot use our product legally.
Entire Agreement Clauses
New York Section 2d
We extend the protections and elements of our New York Section 2-d Information Security Plan to all users. We encourage you to incorporate that rather than reinventing the wheel where it meets your needs.