Common use of Data Security and Privacy Plan Clause in Contracts

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: Learning A-Z products are on servers and equipment owned and operated by its parent company Cambium Learning. Our servers and all user-specific data are hosted in a secure Tier 4 enterprise data center located in Texas with a failover data center in Michigan. All of our administrative controls are behind firewalls and also require username/password access, which is limited to Cambium Learning operational staff. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees who have access to Protected Data (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) The Learning A-Z, LLC subscriptions and services are SaaS-based and provider-hosted, with certain aspects of the program functionality supported for all Vendor’s K-12 educational customers through established service provider and/or subcontractor relationships to enable Vendor to provision and perform its Services under the Agreement, who are under contractual obligations of confidentiality and security with Vendor with respect to same, and Vendor shall remain responsible and liable to Erie 1 BOCES, other applicable BOCES, and each Participating Education Agency for same. Other than the foregoing, Vendor [check one] will X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data by Vendor or its assignees or subcontractors, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: Learning A-Z ExploreLearning, LLC products are on servers and equipment owned and operated by its parent company Cambium Learning. Our servers and all user-specific data are hosted in a secure Tier 4 enterprise data center located in Texas with a failover data center in Michigan. All of our administrative controls are behind firewalls and also require username/password access, which is limited to Cambium Learning operational staff. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees who have access to Protected Data (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) The Learning A-ZExploreLearning, LLC subscriptions and services are SaaS-based and provider-provider- hosted, with certain aspects of the program functionality supported for all Vendor’s K-12 educational customers through established service provider and/or subcontractor relationships to enable Vendor to provision and perform its Services under the Agreement, who are under contractual obligations of confidentiality and security with Vendor with respect to same, and Vendor shall remain responsible and liable to Erie 1 BOCES, other applicable BOCES, and each Participating Education Agency for same. Other than the foregoing, Vendor [check one] will X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data by Vendor or its assignees or subcontractors, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: Learning A-Z Lexia products are on servers and equipment owned and operated by its parent company Cambium Learning. Our servers and all user-specific data are hosted in a secure Tier 4 enterprise data center located in Texas with a failover data center in Michigan. All of our administrative controls are behind firewalls and also require username/password access, which is limited to Cambium Learning operational staff. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees (or officers or employees who have access to Protected Data (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) The Lexia Learning A-ZSystems, LLC subscriptions and services are SaaS-based and provider-hosted, with certain aspects of the program functionality supported for all Vendor’s K-12 educational customers through established service provider and/or subcontractor relationships to enable Vendor to provision and perform its Services under the Agreement, who are under contractual obligations of confidentiality and security with Vendor with respect to same, and Vendor shall remain responsible and liable to Erie 1 BOCES, other applicable BOCES, and each Participating Education Agency for same. Other than the foregoing, Vendor [check one] will X will xwill not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data by Vendor or its assignees or subcontractors, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s Data Security and Privacy Plan are as follows: (a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSA: Learning A-Z products are on servers EliteGamingLIVE takes extensive measures in order to ensure privacy, safety, and equipment owned security of the individuals using our platform as well as their data. These efforts include extensive training, ▇▇▇▇▇▇▇ off PII data access, private virtual events with no streaming or video of students, policies for data security, policies for privacy, and operated by its parent company Cambium Learning. Our servers and all user-specific data are hosted in a secure Tier 4 enterprise data center located in Texas with a failover data center in Michiganpolicies for incident response. All of our administrative controls are behind firewalls and also require username/password access, which is limited to Cambium Learning operational staffthese policies have been included as part of this packet. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees who have access to Protected Data (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) The Learning A-Z, LLC subscriptions and services are SaaS-based and provider-hosted, with certain aspects of the program functionality supported for all Vendor’s K-12 educational customers through established service provider and/or subcontractor relationships to enable Vendor to provision and perform its Services under the Agreement, who are under contractual obligations of confidentiality and security with Vendor with respect to same, and Vendor shall remain responsible and liable to Erie 1 BOCES, other applicable BOCES, and each Participating Education Agency for same. Other than the foregoing, Vendor [check one] x will X will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below. (f) Vendor will manage data security and privacy incidents that implicate Protected Data by Vendor or its assignees or subcontractorsData, including identifying breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (g) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA is terminated or expires, as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.

Data Security and Privacy Plan. Vendor agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ the BOCES Parents Bill of Rights for Data Privacy and Security, a copy of which has been signed by the Vendor and is set forth below. Additional elements of Vendor’s ’ Data Security and Privacy Plan are as follows: (a) In order to Vendor will implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality AgreementDPA, consistent with Erie 1 BOCES’ BOCES data security and privacy policy, Vendor will: Review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Data Sharing and Confidentiality Agreement. In the event Vendor’s policy and practices are not in conformance, the Vendor will implement commercially reasonable efforts to ensure such compliance. (b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSAVendor AGREEMENT, Vendor will have the following reasonable administrative, technical, operational and physical safeguards and practices in place throughout the term of the MLSAVendor AGREEMENT: Learning A-Z products are on servers • Pseudonymisation and equipment owned encryption of PII (TLS v1.2 for all data in transit between clients and operated by its parent company Cambium Learningserver and AES256­CBC (256­bit Advanced Encryption Standard in Cipher Block Chaining mode) for encrypting data at rest). Our servers • Password protection. • Ensure the ongoing confidentiality, integrity, availability and all user-specific resilience of processing systems and services. • Restore the availability and access to personal data are hosted in a secure Tier 4 enterprise data center located timely manner in Texas with the event of a failover data center in Michigantechnical incident. All • Regularly test, assess and evaluate the effectiveness of our administrative controls are behind firewalls technical and also require username/password access, which is limited to Cambium Learning operational stafforganizational measures ensuring the security of the processing. (c) Vendor will comply with all obligations set forth in Erie 1 BOCES’ BOCES “Supplemental Information about the MLSAAGREEMENT” below. (d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, Vendor has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, Vendor will require that all of its employees who have access to Protected Data (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws. (e) The Learning A-ZVendor will make sure that, LLC subscriptions prior to disclosing Protected Data to its subcontractors or assignees, such subcontractors or assignees comply with federal and services are SaaS-based and provider-hosted, with certain aspects state laws governing confidentiality of the program functionality supported for all Vendor’s K-12 educational customers through established service provider and/or subcontractor relationships to enable Protected Data. (f) Vendor to provision and perform its Services under the Agreement, who are under contractual obligations of confidentiality and security with Vendor with respect to same, and Vendor shall remain responsible and liable to Erie 1 BOCES, other applicable BOCES, and each Participating Education Agency for same. Other than the foregoing, Vendor [check one] will X will not utilize sub-contractors sub­contractors for the purpose of fulfilling one or more of its obligations under the MLSAVendor AGREEMENT. In the event that Vendor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSAVendor AGREEMENT, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ BOCES “Supplemental Information about the MLSAVendor AGREEMENT,” below. (fg) Vendor will manage data security and privacy incidents that implicate Protected Data by Vendor or its assignees or subcontractorsData, including identifying identify breaches and unauthorized disclosures, and Vendor will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement. (gh) Vendor will implement procedures for the return, transition, deletion and/or destruction of Protected Data at such time that the MLSA AGREEMENT is terminated or expires, as more fully described in Erie 1 BOCES’ BOCES “Supplemental Information about the MLSAAGREEMENT,” below.