Common use of Additional Statutory and Regulatory Obligations Clause in Contracts

Additional Statutory and Regulatory Obligations. Vendor acknowledges additional obligations under Section 2-d and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and these Terms and Conditions. Vendor acknowledges and agrees to the following: i. To limit internal access to Protected Data to only those employees or subcontractors that need access to the Protected Data in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. ii. To not use Protected Data for any purposes not explicitly authorized in the Master Agreement or these Terms and Conditions. iii. To not disclose any Protected Data to any other party, except for authorized employees, subcontractors, or assignees of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: a. the parent or eligible student provided prior written consent; or b. the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. iv. To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. v. To use encryption to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified or permitted by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. vi. To adopt technologies, safeguards and practices that align with the U.S. Department of Commerce National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, “NIST Cybersecurity Framework” (Version 1.1). vii. To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that Vendor has the following additional obligations under Section 2-d with respect to any Protected Data that Vendor receives from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement this Data Sharing and these Terms and Conditions. Vendor acknowledges and agrees to the followingConfidentiality Agreement: i. (a) To limit internal access to Protected Data to only those employees or subcontractors that need access are determined to have legitimate educational interests within the Protected Data in order to assist Vendor in fulfilling one or more meaning of its obligations to Section 2-d and the District under the Master AgreementFamily Educational Rights and Privacy Act (FERPA). ii. (b) To not use Protected Data for any purposes not other than those explicitly authorized in the Master Agreement or these Terms this Data Sharing and ConditionsConfidentiality Agreement. iii. (c) To not disclose any Protected Data to any other party, except for authorized employees, subcontractors, or assignees representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with applicable state and federal law, laws and regulations and the terms of the Master this Data Sharing and Confidentiality Agreement, unless: a. (i) the parent or eligible student has provided prior written consent; or b. (i) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. iv. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its Vendor’s custody. v. (e) To use encryption technology to protect Protected Data in its Vendor’s custody while in motion or at rest, using a technology or methodology that meets the standard specified or permitted by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. vi. (f) To adopt technologies, safeguards and practices that align with the U.S. Department of Commerce National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, “NIST Cybersecurity Framework” (Version 1.1). vii. (g) To comply with Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it Protected Data for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors, as set forth in Section 5 of this Data Sharing and Confidentiality Agreement. (j) To reasonably cooperate with the District and applicable law enforcement agencies regarding investigation into the breach or unauthorized release of Protected Data, . (k) To reimburse the District for the full costs of any legally required notification under Section 2-d due to a breach or unauthorized release of Protected Data caused by Vendor or its subcontractors; provided that the District reasonably consults, co-operates and co- ordinates with Vendor in connection with such notifications. EXHIBIT A (CONTINUED)