Reporting Requirements of the Commission and Indemnification Notwithstanding any other provision of this Agreement, the Servicer acknowledges and agrees that the purpose of Sections 4.02(c) and (d), 5.02, 5.03, 5.04, 6.01(j), 6.03 and 7.04 of this Agreement is to facilitate compliance by the Trustee, the Securities Administrator, the Master Servicer and the Depositor with the provisions of Regulation AB. Therefore, the Servicer agrees that (a) the obligations of the Servicer hereunder shall be interpreted in such a manner as to accomplish that purpose, (b) such obligations may change over time due to interpretive advice or guidance of the Commission, convention or consensus among active participants in the asset-backed securities markets, advice of counsel, or otherwise in respect of the requirements of Regulation AB, (c) the Servicer shall agree to enter into such amendments to this Agreement as may be necessary, in the judgment of the Depositor, the Master Servicer and their respective counsel, to comply with such interpretive advice or guidance, convention, consensus, advice of counsel, or otherwise, (d) the Servicer shall otherwise comply with requests made by the Trustee, the Securities Administrator, the Master Servicer or the Depositor for delivery of additional or different information as such parties may determine in good faith is necessary to comply with the provisions of Regulation AB and (e) the Servicer shall (i) agree to such modifications and enter into such amendments to this Agreement as may be necessary, in the judgment of the Depositor, the Master Servicer and their respective counsel, to comply with any such clarification, interpretive guidance, convention or consensus and (ii) promptly upon request provide to the Depositor for inclusion in any periodic report required to be filed under the Exchange Act, such items of information regarding this Agreement and matters related to the Servicer, (collectively, the “Servicer Information”), provided that such information shall be required to be provided by the Servicer only to the extent that such shall be determined by the Depositor in its sole discretion and its counsel to be necessary or advisable to comply with any Commission and industry guidance and convention. For purposes of clarification, any modifications or amendments of the obligations of the Servicer under this agreement made pursuant to this Section 6.05 shall be made in writing and upon mutual agreement with the Servicer (provided that such agreement will not unreasonably withheld) and in accordance with Section 9.12 of this Agreement. The Servicer hereby agrees to indemnify and hold harmless the Depositor, the Master Servicer, their respective officers and directors and each person, if any, who controls the Depositor or Master Servicer within the meaning of Section 15 of the Securities Act of 1933, as amended (the “Act”), or Section 20 of the Exchange Act, from and against any and all losses, claims, expenses, damages or liabilities to which the Depositor, the Master Servicer, their respective officers or directors and any such controlling person may become subject under the Act or otherwise, as and when such losses, claims, expenses, damages or liabilities are incurred, insofar as such losses, claims, expenses, damages or liabilities (or actions in respect thereof) arise out of or are based upon any untrue statement or alleged untrue statement of any material fact contained in the Servicer Information or arise out of, or are based upon, the omission or alleged omission to state therein any material fact required to be stated therein or necessary to make the statements therein, in light of the circumstances under which they were made, not misleading, and will reimburse the Depositor, the Master Servicer, their respective officers and directors and any such controlling person for any legal or other expenses reasonably incurred by it or any of them in connection with investigating or defending any such loss, claim, expense, damage, liability or action, as and when incurred; provided, however, that the Servicer shall be liable only insofar as such untrue statement or alleged untrue statement or omission or alleged omission relates solely to the information in the Servicer Information furnished to the Depositor or Master Servicer by or on behalf of the Servicer specifically in connection with this Agreement.
New Hampshire Specific Data Security Requirements The Provider agrees to the following privacy and security standards from “the Minimum Standards for Privacy and Security of Student and Employee Data” from the New Hampshire Department of Education. Specifically, the Provider agrees to:
(1) Limit system access to the types of transactions and functions that authorized users, such as students, parents, and LEA are permitted to execute;
(2) Limit unsuccessful logon attempts;
(3) Employ cryptographic mechanisms to protect the confidentiality of remote access sessions;
(4) Authorize wireless access prior to allowing such connections;
(5) Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity;
(6) Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions;
(7) Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles;
(8) Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services;
(9) Enforce a minimum password complexity and change of characters when new passwords are created;
(10) Perform maintenance on organizational systems;
(11) Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance;
(12) Ensure equipment removed for off-site maintenance is sanitized of any Student Data in accordance with NIST SP 800-88 Revision 1;
(13) Protect (i.e., physically control and securely store) system media containing Student Data, both paper and digital;
(14) Sanitize or destroy system media containing Student Data in accordance with NIST SP 800-88 Revision 1 before disposal or release for reuse;
(15) Control access to media containing Student Data and maintain accountability for media during transport outside of controlled areas;
(16) Periodically assess the security controls in organizational systems to determine if the controls are effective in their application and develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems;
(17) Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems;
(18) Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception);
(19) Protect the confidentiality of Student Data at rest;
(20) Identify, report, and correct system flaws in a timely manner;
(21) Provide protection from malicious code (i.e. Antivirus and Antimalware) at designated locations within organizational systems;
(22) Monitor system security alerts and advisories and take action in response; and
(23) Update malicious code protection mechanisms when new releases are available.