Privacy and Data Security (a) Each Group Company that maintains a web site has posted on its web site a privacy policy regarding the collection, use and disclosure of Personal Information that it collects, is in its possession, or in its custody or control. Each Group Company has complied in all material respects with all Information Privacy and Security Laws and material agreements to which it is a party that contain, involve or deal with receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) Personal Information. No Group Company has been notified in writing of any Action or any other claim related to data security or privacy or alleging a violation of any of its privacy policies, or any Information Privacy and Security Law, nor, to the Knowledge of the Company, has any such claim been threatened in writing. Each Group Company has taken commercially reasonable administrative, physical and technical measures designed to protect and maintain the confidentiality, security, integrity and accessibility (as applicable) of: (a) Systems and all data contained therein (including Company Data and Data Sets and other data subject to confidentiality obligations), (b) all Personal Information and other Sensitive Data collected by or on behalf of the Group Companies in connection with their business, including in each case, in accordance with all Information Privacy and Security Laws and Group Company’s published policies. Each Group Company has taken commercially reasonable steps to ensure that all material third party service providers, outsourcers, contractors, or other persons who access, process, store or otherwise handle Personal Information for or on behalf of a Group Company have agreed in writing to materially comply with applicable Information Privacy and Security Laws and taken reasonable steps to protect and secure Personal Information from loss, theft, misuse or unauthorized access, use, modification or disclosure.
(b) There are no unsatisfied written requests that any Group Company has received from individuals seeking to exercise their data protection rights under Information Privacy and Security Laws. Except as set forth on Schedule 3.13.9(b), there is not and has not been any (i) Action or (ii) written allegation that a Group Company has received by any private party, any data protection authority, or any other Governmental Authority with respect to the Group Companies’ collection, use, storage, transfer, or processing of Personal Information or compliance with Information Privacy and Security Laws, nor has any such Action been threatened. There has been no material Security Breach involving Systems, Company Data and Data Sets, Personal Information or other Sensitive Data in the possession or control of any Group Company. No Group Company has notified, or been required to notify, any Person or Governmental Authority of any Security Breach, nor has the Group Company paid a ▇▇▇▇▇▇ to any perpetrator as a result of any actual or threatened cyber-attack.
Data Security The Provider agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. The Provider shall adhere to any applicable law relating to data security. The provider shall implement an adequate Cybersecurity Framework based on one of the nationally recognized standards set forth set forth in Exhibit “F”. Exclusions, variations, or exemptions to the identified Cybersecurity Framework must be detailed in an attachment to Exhibit “H”. Additionally, Provider may choose to further detail its security programs and measures that augment or are in addition to the Cybersecurity Framework in Exhibit “F”. Provider shall provide, in the Standard Schedule to the DPA, contact information of an employee who ▇▇▇ may contact if there are any data security concerns or questions.
