Common use of User Account Security Clause in Contracts

User Account Security. All users of the application require a password-protected login in order to authenticate. Teachers and students can register with a unique username and a password, or use Google SSO or Clever SSO. Because we do not require students to provide an email, we cannot use the traditional password-reset-via-email mechanism in the case of a student forgetting their password. For this use case, teachers have the ability to reset the passwords of their students. User credentials are encrypted, as all data, using our standard encryption in transit and at rest requirements. In addition, passwords are further encrypted at rest using the bcrypt function. We do not store or transmit a user password without encryption. Third Party Services and Subcontractors We only partner with third party services and subcontractors whose privacy policies are consistent with the obligations within our privacy principles (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/privacy). We will not utilize subcontractors without a written contract that requires the subcontractors to adhere to, at a minimum, materially similar data protection obligations imposed on the contractor by specific customer, state and federal laws and regulations. Incident Management and Response We have 24/7 on call support for incident response. Two-to-three engineers are on call each week. We use several application monitoring services (NewRelic, Datadog, Rollbar, Bugsnag), configured to alert our on-call engineers via Slack in the case of a possible incident. All alerts must be investigated, and all fires must be addressed immediately. We maintain, and continue to expand, a library of on call response playbooks which detail both how to respond and relevant surrounding context, for a variety of possible incident scenarios. We aim to link each of our alerts to the relevant playbook to facilitate a rapid incident response. In addition, all fires require detailed write-ups of the events of the incident and investigation, any root cause analysis, and next steps. These write-ups are reviewed by key stakeholders, and next steps are recorded and prioritized by the appropriate teams. In the case of a data breach, our current practice is to notify a client within 48 hours of the recognition of a data breach. Data Transition and Secure Destruction Upon expiration or termination of the Contract or Agreement, NoRedInk shall: • Securely transfer data to EA, or a successor contractor at the EA’s option and written discretion, in a format agreed to by the parties. • Securely delete and destroy data and remove it from any archival databases within 30 days of expiration. Training NoRedInk provides periodic security and privacy training to those of its employees and individual consultants who operate or have access to the system. NoRedInk contracts with Vanta for employee training that covers the following topics: general cybersecurity, reporting suspicious activity, passwords, password managers, MFA, malware, ransomware, phishing, mobile security, cloud security threats, policy violations, data classification and data privacy. Supplemental Agreement dated this 8 day of November, 2023 between the Sag Harbor Union Free School District (the “District”), located at ▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇ ▇▇▇▇▇, and NoRedInk Corp. (the “Contractor”) located at ▇▇▇ ▇▇▇▇▇▇ ▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇

User Account Security. All users of the application require a password-protected login in order to authenticate. Teachers and students can register with a unique username and a password, or use Google SSO or Clever SSO. Because we do not require students to provide an email, we cannot use the traditional password-reset-via-email mechanism in the case of a student forgetting their password. For this use case, teachers have the ability to reset the passwords of their students. User credentials are encrypted, as all data, using our standard encryption in transit and at rest requirements. In addition, passwords are further encrypted at rest using the bcrypt function. We do not store or transmit a user password without encryption. Third Party Services and Subcontractors We only partner with third party services and subcontractors whose privacy policies are consistent with the obligations within our privacy principles (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/privacy). We will not utilize subcontractors without a written contract that requires the subcontractors to adhere to, at a minimum, materially similar data protection obligations imposed on the contractor by specific customer, state and federal laws and regulations. Incident Management and Response We have 24/7 on call support for incident response. Two-to-three engineers are on call each week. We use several application monitoring services (NewRelic, Datadog, Rollbar, Bugsnag), configured to alert our on-call engineers via Slack in the case of a possible incident. All alerts must be investigated, and all fires must be addressed immediately. We maintain, and continue to expand, a library of on call response playbooks which detail both how to respond and relevant surrounding context, for a variety of possible incident scenarios. We aim to link each of our alerts to the relevant playbook to facilitate a rapid incident response. In addition, all fires require detailed write-ups of the events of the incident and investigation, any root cause analysis, and next steps. These write-ups are reviewed by key stakeholders, and next steps are recorded and prioritized by the appropriate teams. In the case of a data breach, our current practice is to notify a client within 48 hours of the recognition of a data breach. Data Transition and Secure Destruction Upon expiration or termination of the Contract or Agreement, NoRedInk shall: • Securely transfer data to EA, or a successor contractor at the EA’s option and written discretion, in a format agreed to by the parties. • Securely delete and destroy data and remove it from any archival databases within 30 days of expiration. Training NoRedInk provides periodic security and privacy training to those of its employees and individual consultants who operate or have access to the system. NoRedInk contracts with Vanta for employee training that covers the following topics: general cybersecurity, reporting suspicious activity, passwords, password managers, MFA, malware, ransomware, phishing, mobile security, cloud security threats, policy violations, data classification and data privacy. Supplemental Agreement dated this 8 day of November, 2023 between the Sag Harbor Union Free School District (the “District”), located at ▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇ ▇▇▇▇▇, and NoRedInk Corp. (the “Contractor”) located at ▇▇▇ ▇▇▇▇▇▇ ▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇.