We know you need to have us sign agreements. There are a couple of shortcut options for you:
- For Master Service Agreements and/or Terms of Service use our Entity Terms of Service agreement
- We are members of the Student Data Privacy Alliance. Schools are invited and encouraged to sign a standard SDPC Alliance Data Privacy Agreement, or Exhibit E as applicable.
To speed up the process (because we get hundreds of these), before sending your unique agreement, please check that your agreement aligns with these criteria that must be met for us to sign. These align to the terms in the National Data Privacy Agreement Version 2.
1. Student Data Storage Location
We will accept the United States. CONUS is not an acceptable limitation.
2. Deletion on Expiration
We provide self-help tools for you to delete students. Teachers can delete their own accounts. Schools can contact us to release or delete a teacher account. Schools can use self-help tools to reassign accounts.
We can accept any language regarding deletion that takes into account that the school has an active role in deletion, such as making a request or requesting certification of deletion. This is an example of acceptable language:
Boom Learning will, unless otherwise directed by the School, dispose of, or delete, Student Data obtained by Boom Learning pursuant to its Information Security Plan. The School may provide special instructions for the disposition of Student Data in writing to [email protected]. The instructions must state what is to be deleted. The duty of Boom Learning to dispose of Student Data shall not extend to either (a) to de-identified data or (b) to student- generated content that has been transferred to the student. Data is de-identified when all personally identifiable information has been removed or obscured, such that the remaining information does not reasonably identify a specific student, including, but not limited to, any information that, alone or in combination, is linkable to a specific student. Content is student-generated if it was created by student.
3. Assignment
Rather than create a complicated permissions process that slows down your teaching and our business, we prefer the following clause for a successor in interest:
This agreement is and shall be binding upon the respective successors in interest to Boom Learning in the event of a Change of Control. A Change of Control is any merger, acquisition, consolidation, or other business reorganization or sale of all or substantially all of the assets of Boom Learning or of the Boom App data. In the event of a Change of Control, Boom Learning will provide written notice to the School no later than sixty (60) days after the closing of the Change of Control. The notice shall include a written, signed assurance that the successor will assume the obligations of this agreement and any obligations with respect to Student Data in this agreement.
4. Subprocessors
We can agree to something very similar to the below language. We have carefully selected our cloud services vendors. It is not feasible to require them to sign and agree to be bound by the terms of every DPA we sign. We will not sign any agreement that requires us to ask all subprocessors to sign on to the terms of the DPA. We accept our responsibility for managing them, and this language captures our commitment.
Boom Learning may engage subprocessors who have access to or who store Student Data for security, data collection, data storage, analytics, or other services to operate and/or improve the Boom App. Boom Learning shall enter into an agreement--either by signature or click-through acceptance--with all such subprocessors, whereby the terms of the agreement include obligations that will ensure that (a) the Student Data is protected in a manner no less stringent than the manner in which Boom Learning protects the Student Data, (b) the subprocessor will not sell the Student Data, and (c) the subprocessor may not materially alter the agreement with Boom Learning unless notice is provided to Boom Learning.
5. Data Backups
We can agree to continuous backup.
6. Breach Reimbursements and Responsibilities and Indemnifications
We can agree to assist you with any breach. We will agree only to any reimbursement or notification requirement that is not limited to our conduct. Districts are responsible for the conduct of their employees. We will look for limitations such as "acts or omissions of the Vendor, or its officers, agents, subcontractors, or employees." Failure to include such a limitation will result in us asking for a change. Here is an example of acceptable language:
Where a Breach of PII occurs that is attributable to the Contractor, the Contractor shall pay for or promptly reimburse the District for the full cost of the District’s notification to affected persons and/or their parents or guardian.
7. Breach and Safeguards Terms
Breach notification obligations need to be reciprocal. Below is an example of acceptable terms:
School shall employ administrative, technical, and physical safeguards to protect usernames, passwords, and other means of gaining access to the Student Data from unauthorized access, disclosure, or acquisition by an unauthorized person. School shall inform Boom Learning within seventy-two (72) hours of any confirmed Data Breach to the Boom App, School's account, or any Educator account associated with the School, or any Student Data that poses a privacy or security risk. If requested by Boom Learning, the School will provide reasonable assistance to Boom Learning in any efforts by Boom Learning to investigate and respond to the Data Breach.
Boom Learning shall employ administrative, technical, and physical safeguards to protect usernames, passwords, and other means of gaining access to the Student Data from unauthorized access, disclosure, or acquisition by an unauthorized person. Boom Learning shall inform the School within seventy-two (72) hours of any confirmed Data Breach to the Boom App, School's account, or any Educator account associated with the School, or any Student Data that poses a privacy or security risk. If requested by the School, Boom Learning will provide reasonable assistance to the School in any efforts by the School to investigate and respond to the Data Breach.
Because of our privacy by design, we do not have any contact information for parents or legal guardians (data you don't have cannot be breached). For students, we often only have a username and nickname (which can be a pseudonym). If you use an OAuth service, we may have a school student email address. As a result, we cannot provide direct breach notification to parents or legal guardians, or most students. We can provide you with a notification statement that you can forward to families.
8. Insurance
We operate entirely offsite; we do not interact with students. We have General Liability, Hired/Non-Owned Auto Liability, and Cyberliability insurance.
9. Intellectual Property Terms
We cannot modify the IP terms in our Terms of Service. We will reject any language that attempts to modify those terms. Those terms are carefully crafted to meet your needs and ours. Without them, you cannot use our product legally.
10. Entire Agreement Clauses
We cannot accept any entire agreement clause that overrides the entirety of our Terms of Service and Privacy Policy. We can agree to addendums that supersede select portions using the phrase "relating to the subject matter hereof" where the addendum addresses just privacy. Any paragraph stating Order of Precedence must place items in this order: (1) a negotiated Privacy Agreement, (2) a negotiated Master Services Agreement or like document, (3) Boom Learning's Privacy Notices, (4) Boom Learning's applicable Terms of Service, and (5) any Purchase Order terms.