We know you need to have us sign data agreements. To speed the process (because we get hundreds of these, please check that your agreements align to these criteria that must be met for us to sign.
Data storage location
We will accept United States. CONUS is not an acceptable limitation.
Deletion on expiration:
This language is the correct language to include. We put all the power in your hands. The agreement shall state that you have the first obligation of action to protect your data:
We can agree to something very similar to the below language. We have carefully selected our cloud-services vendors. It is not feasible to require them the sign and agree to be bound by the terms of every DPA we sign and we will not sign any agreement that requires us to ask all subs to sign on to the terms of the DPA. We accept our responsibility for managing them and this language captures our commitment.
Vendor must ensure that each subcontractor with whom it shares Student Data and/or Teacher or Principal Data are contractually bound by a written agreement that (a) that includes obligations of confidentiality equivalent to, consistent with, and no less protective than those found in this agreement, or (b) are engaged under a contract under which they agree that they have no right of access to Vendor's data stored in the subcontractors' cloud-based services.
Breach Reimbursements and Responsibilities and Indemnifications
We can agree to assist you with any breach. We will not agree to any reimbursement or notification requirement that is not limited to our conduct. Districts are responsible for the conduct of their employees. We will look for limitations such as "acts or omissions of the Vendor, or its officers, agents, subcontractors or employees." Failure to include such a limitation will result in us asking for a change. Here is an example of acceptable language:
Where a Breach of PII occurs that is attributable to Vendor, Vendor shall pay for or promptly reimburse the District for the full cost of the District’s notification to affected persons and/or their parents or guardian.
Breach Notification Timelines
For operational simplicity, we require a breach notification window of 7 days. This is the most commonly requested window by our customers. We have thousands of customers so we need a standardized timeline. We will only agree to a shorter timeline if you have a statutory requirement of a shorter timeline. Given that the risk to students is exposure of an email address or username (remember passwords are encrypted), this is entirely reasonable.
Direct Breach Notification
Because of our privacy by design, we do not have any contact information for parents or legal guardians (data you don't have cannot be breached). For students, we often only have a username and nickname (which can be a pseudonym). If you use an OAuth service, we may have a school student email address. As a result, we cannot provide direct breach notification to parents or legal guardians or most students. We can provide you with a notification statement that you can forward to families.
We operate entirely offsite, we do not interact with students, and as stated above, the only identifying student data is a username or email address. Accordingly, we have General Liability and $1 Cyberliability insurance only.
Intellectual Property Terms
We cannot modify the IP terms in our Terms of Service. We will reject any language that attempts to modify those terms. Those terms are carefully crafted to meet your and our needs. Without them you cannot use our product legally.
Entire Agreement Clauses
New York Section 2d
We extend the protections and elements of our New York Section 2-d Data and Security Plan to all users. We encourage you to incorporate that rather than reinventing the wheel where it meets your needs.