Data Confidentiality and Security Agreement
Lea(R)n, Inc., a North Carolina corporation with an address at 310 S. Harrington Ave., Suite 110, Raleigh, NC 27603 (“Provider”) hereby agrees to the terms of this Data Confidentiality and Security Agreement (“Security Agreement”) for the purpose of receiving and sharing confidential student information between a Local Education Agency (“LEA”) in a manner consistent with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g and its implementing regulations at 34 CFR part 99; the Protection of Pupil Rights Amendment (PPRA), 20 U.S.C. 1232h and its implementing regulations at 34 CFR part 98; the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. 6501- 6506 and its implementing regulations at 16 CFR part 312; N.C. Gen. Stat. §§ 115C-401.1 and 115C-402; and the LEA’s applicable regulations and procedures; and other applicable laws and policies.
1. Purpose. LEA is a local education agency that maintains student “education records” as defined by FERPA and PPRA. Provider is requesting access to certain student data maintained by LEA for the purpose of evaluating and/or providing educational products to LEA pursuant to a Subscription and License Agreement entered into concurrently herewith. The purpose of this Security Agreement is to set forth the terms and conditions upon which Provider may be granted access to such student data in order to ensure that the student data is used and stored appropriately and in compliance with all applicable federal, state, and local laws, regulations, and policies.
2. Student Records and Information. Provider acknowledges that any data shared and released to Provider by LEA (the “Shared Data”) is for the sole purpose of evaluating educational products and services to enhance, supplement, and improve instruction for students. The Shared Data is defined as any data or information shared with Provider pursuant to this Agreement, including but not limited to any de-identified data, aggregated data sets, personally identifiable information (PII) about students, and other student information, including, but not limited to, student data, metadata, and user content. The Shared Data will be used by Provider for the sole purpose of evaluating educational products to inform instructional, operational and fiscal decisions, and the practices and processes related to education technology in schools, and for improving services under this Agreement. The parties agree that the Shared Data and all rights to the Shared Data, shall remain the exclusive property of LEA; provided however, that the analysis of the Shared Data performed by the Provider (“Results”), including without limitation the de-identified aggregate of the Shared Data, shall as between LEA and the Provider be the exclusive property of Provider. For the avoidance of doubt, de-identified aggregate data will have all direct and indirect personal identifiers removed, including, but not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID. Provider agrees not to attempt to re-identify any deidentified data. Provider hereby grants to LEA a limited, nonexclusive, license to use the Results solely for its internal planning and purchasing decisions. LEA hereby grants to Provider a limited, nonexclusive, irrevocable license to use the Shared Data for the purpose of evaluating educational products and services as set forth in this Agreement.
3. Compliance with Applicable Laws, Policies, and Procedures. To become or remain a recipient of the Shared Data, Provider agrees to comply with the provisions of FERPA, PPRA, COPPA, and all other applicable laws and regulations in all respects. Nothing in this Security Agreement may be construed to allow Provider to maintain, use, or disclose any Shared Data in a manner inconsistent with any applicable law, regulation, or policy.
4. Authorized Use of Shared Data. In the event Provider’s access to the Shared Data is pursuant the “school official exception” as set forth in 34 CFR 99.31(a)(1)(i), Provider’s use of the Shared Data shall at all times be limited to institutional functions of LEA that could otherwise be provided by a school official and which LEA is “outsourcing” to Provider pursuant to 34 CFR 99.31(a)(1)(B). Provider agrees to use the Shared Data for no other purpose other than those identified in Paragraph 2 of this Agreement. Provider understands that the Security Agreement does not convey ownership of Shared Data to Provider. Provider specifically acknowledges that Provider’s use of the Shared Data and Results in connection with any marketing activities shall not exceed the acceptable uses permitted by 20 U.S.C. § 1232h(c)(4)(A).
5. Procedures for the Maintenance and Security of Shared Data. While in the possession, custody, or control of Provider, all Shared Data shall be stored in a secure environment with access limited to the least number of staff needed to complete the work requested by LEA. Provider shall develop, implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentiality, integrity, and availability of all electronically maintained or transmitted data received from, or on behalf of, LEA. Such measures shall include processes for transmission and storage of such data.
a. Provider agrees that it will protect the Shared Data against loss, destruction, and unauthorized uses or disclosures according to industry best practices and no less rigorously than it protects its own confidential information. Specifically, Provider agrees that all student records and PII obtained in the course of providing services to LEA shall be subject to the confidentiality and disclosure provisions of applicable federal and state statutes and regulations.
b. For the purposes of ensuring Provider’s compliance with this Security Agreement and all applicable state and federal laws, Provider shall designate one or more individuals as the primary data custodian(s) of the data that the LEA shares with Provider and shall notify LEA of the name(s) and title(s) of such individual(s) prior to any data being shared. LEA will release all data and information for this project to the named primary data custodian(s). The primary data custodian(s) shall ensure that the project shall be conducted in a manner that does not permit personal identification of the LEA’s students by anyone other than representatives of Provider who need such information for the purposes described in Paragraphs 1 and 2 of this Security Agreement. The primary data custodian(s) shall also be responsible for maintaining a log of all data received pursuant to this Security Agreement and ensuring the timely destruction or return of the Shared Data as required by this Security Agreement.
c. Provider shall use industry best practices to protect LEA’s data from unauthorized physical and electronic access no less rigorously than it protects its own confidential information. All LEA data shall be kept in a secure location preventing access by unauthorized individuals. Provider shall not forward to any person or entity other than LEA any student record or PII, including, but not limited to, the student’s identity, without the advance written consent of LEA. Provider agrees to handle any and all Shared Data using appropriate access control and security, including password-protection and encryption in transport and electronic storage, and periodic auditing of data at rest. Data subject to FERPA shall not be emailed in plain text or used for marketing campaigns. Provider will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner.
d. Provider will maintain an access log delineating the date, time, and identity of any person or entity given access to any Shared Data student records who is not in the direct employ of Provider. No such access shall be granted except in strict compliance with the terms and conditions of this Agreement and applicable law.
6. Prohibition on Unauthorized Use or Disclosure of Shared Data.
a. Provider agrees to hold all Shared Data in strict confidence. Provider shall not use or disclose such data received from or on behalf of LEA except as authorized in this Agreement or otherwise in writing by LEA or as required by law. Provider agrees not to disclose any data obtained from LEA in a manner that could identify any individual student to any other entity or person, attempt to infer or deduce the identity of any individual student based on data provided by LEA, or claim to have identified or deduced the identity of any student based on data provided by LEA.
b. Provider is prohibited from mining Shared Data for any purposes other than those set forth in this Agreement or otherwise agreed to in advance writing by LEA. Data mining or scanning of user content for the purpose of advertising and/or marketing any non-educational products or services to students or their parents is strictly prohibited.
c. In no event will Provider use any of the Shared Data for its own commercial marketing or advertising purposes, or for the commercial marketing or advertising purposes of any third-party. Without limiting the foregoing, LEA and Provider agree that use of the Results for Provider’s marketing or advertising purposes is permitted so long as no individual student’s identity is disclosed or capable of being deduced. Provider will not use any Shared Data to advertise or market non-educational products or services to LEA students or their parents.
d. In the event of any unauthorized use or disclosure, Provider shall report the incident to LEA no less than one (1) business day after Provider learns of such use or disclosure. Such report shall identify:
i. The nature of the unauthorized use or disclosure,
ii. The data used or disclosed,
iii. Who made the unauthorized use or received the unauthorized disclosure,
iv. What Provider has done or shall do to mitigate the effects of the unauthorized use or disclosure, and
v. What corrective action Provider has taken or shall take to prevent future similar unauthorized use or disclosure. Provider shall also provide such other information related to the unauthorized use or disclosure that may be reasonably requested by LEA. LEA also may require that Provider provide a written notice of the breach or disclosure, as well as a description of the corrective actions taken, to any LEA student, parent, or employee directly impacted by the breach or disclosure. Any such notice shall be subject to review and approval by LEA.
e. Provider will not release any research or publications pertaining to LEA’s data and through which LEA is named or can be identified without LEA’s advance written consent.
7. Employees, Contractors, and Agents. Provider may only share the Shared Data, or any part of it, with subcontractors who have agreed in writing to adhere to, and be bound by, all of the terms of this Security Agreement with respect to its possession and use of any Shared Data and acknowledging that the subcontractor is aware of its obligations under applicable law with regard to the possession, use and re-disclosure of the Shared Data. LEA reserves the right to request to review and approve any such agreement between Provider and its subcontractor(s) before any Shared Data is disclosed to the subcontractor(s). Nothing in this paragraph shall relieve Provider of any its obligations under this Agreement, including its responsibilities to ensure the security of any Shared Data provided by LEA pursuant to this Agreement.
8. Monitoring and Auditing. Any Shared Data held by Provider will be made available to LEA for review and inspection upon request of LEA. Provider shall cooperate with LEA or with any other person or agency as directed by LEA, in monitoring, auditing, or investigating activities related to Provider’s use and safeguarding of the Shared Data, including but not limited to allowing inspection of the data logs described in Paragraph 5.b and 5.d of this Agreement. LEA and its auditors will maintain the confidentiality of any confidential information and trade secrets of Provider that may be accessed during an audit conducted under this Security Agreement.
9. Term; Post-Termination. This Security Agreement takes effect upon the date of full execution and continues in full force and effect for so long as Recipient has possession, custody, or control of any of the Shared Data. Upon the termination of this Security Agreement between LEA and Provider, all Shared Data shall, at LEA’ sole option, be destroyed or returned to LEA. No other entity, including any subcontractors of Provider, shall be authorized to continue possessing or using any Shared Data. Any Shared Data remaining on any computers, servers, or other technological devices of Provider or its employees, agents, or subcontractors, shall be permanently deleted.
10. Breach and Default; Indemnification; Remedies.
a. In the event of a material data or security breach, or, breach of any other material term of this Security Agreement, LEA may demand the immediate return or destruction of any and all of the Shared Data.
b. Provider shall fully indemnify and hold harmless the LEA’s Board of Education and its past, current and future members, agents, and employees from and against all claims, actions, demands, costs, damages, losses, and/or expenses of any kind whatsoever proximately resulting from any material data breach of this Security Agreement or any unauthorized use or disclosure of the Shared Data by Provider or it’s subcontractor(s). This section shall survive the expiration or earlier termination of this Security Agreement.
c. Nothing in this Agreement shall restrict LEA from seeking any other rights or remedies to which it may be entitled at law or equity.
11. No Right or Entitlement to Student Data. This Security Agreement sets out the terms and conditions, under which LEA may, in its sole discretion, provide Shared Data to Provider. Nothing in this Security Agreement creates any right, title, or interest in Recipient to receive any such information.
a. Governing Law. This Security Agreement and the rights and obligations of the parties hereto shall be governed by and construed and enforced in accordance with the laws of the State of North Carolina.
b. No Third Party Beneficiaries. Nothing in this Security Agreement shall confer upon any person, other than the parties, any rights, remedies, obligations, or liabilities whatsoever.
c. Counterparts. This Security Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
d. Headings. The headings and other captions in this Security Agreement are for convenience and reference only and shall not be used in interpreting, construing or enforcing any of the provisions of this Security Agreement.
e. Assignment of Rights. Neither this Security Agreement, nor any rights, duties, nor obligations described herein shall be assigned by Provider without the prior express written consent of LEA. Notwithstanding the foregoing, Provider may assign all of its rights under this Agreement, without consent of LEA, to a successor by merger or acquisition or to any person or entity who purchases all or substantially all of the business or assets of Provider to which this Agreement relates.
f. Entire Agreement; Amendment. This Agreement contains the entire agreement between the parties and supersedes any previous agreements and proposals, oral or written, related to the subject matter hereof. Any modification or amendments to this Agreement shall be effective only if made in writing and signed by both parties.
g. Conflicts. In the event of any conflict between this Security Agreement and any existing or future contract, purchase order, agreement or terms of service between LEA and Provider, the terms and conditions of this Security Agreement shall control.