Personally Identifiable Information Protection Requirements

Last Updated: July 1, 2016

Seller (as defined herein) must comply with the following standards for the protection of Personally Identifiable Information (as defined herein) to the extent applicable to the goods and services being purchased.

1. Definitions.

1. As used herein,

A. "Affiliate(s)" shall mean any entity controlling, controlled by or under common control with another entity.

B. “Agreement” shall mean the written agreement between CE and Seller, into which these requirements have been incorporated.

C. "Data Subject" shall mean any person about whom Personally Identifiable Information may be Processed (as defined herein) in the performance of this Agreement.

D. "Governmental Authority" shall mean a public agency or authority of any country, state, territory, or political subdivision of a country, state or territory, or a person or entity acting under a grant of authority from or under contract with such public agency or authority, that is authorized by law to enforce individual rights with respect to Personally Identifiable Information, , or to oversee or monitor compliance with privacy and data protection laws, rules and regulations.

E. "Personally Identifiable Information" shall mean data that identifies or could reasonably be used to identify a Data Subject, including, without limitation, data relating to students and/or their parents. Personally Identifiable Information shall not include publicly available information that has not been combined with non-public Personally Identifiable Information.

F. "Processed" or "Processing" shall mean the collection, use, selling, disclosure, transfer, storage, deletion, combination or other use of Personally Identifiable Information, as contemplated by applicable federal and state privacy and data protection laws including but not limited to, the Family Education Rights and Privacy Act (FERPA), the Children’s Online Protection Privacy Act (COPPA), the Children’s Internet Protection Act (CIPA), and the Health Insurance Portability and Accountability Act (HIPPA).

G. “Seller” shall mean the party or parties which will provide CE with goods and/or services pursuant to the Agreement.

H. Unless otherwise defined herein, all other capitalized terms shall have the meanings ascribed to them in the Agreement.

2 Seller shall:

A. Ensure that all Personally Identifiable Information collected by Seller is Processed only to perform its obligations under this Agreement and as specifically permitted by this Agreement, or as otherwise instructed, in writing, from time to time, by CE. Seller may not use such Personally Identifiable Information for any other purpose, including without limitation for its own commercial benefit, unless agreed to in writing by CE;

B. Ensure that Personally Identifiable Information is not disclosed or transferred to any third party without the prior written permission of CE, except: (i) as specifically stated in this Agreement, or (ii) where such disclosure or transfer is required by applicable law, regulation or governmental authority, in which case Seller shall notify CE promptly in writing (and in any event within five (5) days of receipt of a request for disclosure or transfer) prior to complying with any such request for disclosure or transfer, and shall comply with all reasonable directions of CE with respect to such disclosure or transfer;

C. Ensure that all Personally Identifiable Information created by Seller on behalf of CE is accurate and, where necessary, kept updated, and use commercially reasonable efforts to ensure that any Personally Identifiable Information that is inaccurate or incomplete is rectified;

D. Ensure that all Personally Identifiable Information received from or on behalf of CE and its Affiliates are maintained in a secure manner, and not subject to alteration or deletion;

E. Ensure that commercially reasonable technical and organizational measures are taken to protect Personally Identifiable Information against: (i) accidental or unlawful destruction, (ii) accidental loss or alteration, (iii) unauthorized disclosure or access, and (iv) all other unlawful forms of processing. In particular, "commercially reasonable technical and organizational measures" must meet or exceed industry standards for protecting Personally Identifiable Information as well as any specific requirements of CE with respect to protecting such Personally Identifiable Information;

F. Notify CE in writing immediately (and in any event within 24 hours) upon learning of any accidental or intentional breaches of the security of the Personally Identifiable Information, or any unlawful or unauthorized uses or disclosures of Personally Identifiable Information (a "Security Breach"), and provide detailed information regarding the nature and scope of the Security Breach, the actual or potential cause of the breach, the measures being taken by Seller to investigate the breach, correct or mitigate the breach, and to prevent future breaches. Seller agrees that any decision to notify Data Subjects of the breach shall be in the sole discretion of CE and any notice shall be approved in advance by CE;

G. Notify CE immediately of any change that is made with respect to the organizational or technical measures taken to protect Personally Identifiable Information that could affect the controls and/or standards of protection previously specified or approved;

H. Ensure that Seller notifies CE promptly in writing (and in any event within five (5) days of receipt) of any communication received from a Data Subject relating to the Data Subject's rights to access, modify or correct his or her Personally Identifiable Information and to comply with all reasonable instructions of CE before responding to such communications; and

I. Comply with the provisions of this Agreement and the reasonable instructions of CE to return, store or destroy the Personally Identifiable Information.

3. Each party shall comply with all applicable laws, rules, and regulations with respect to such party's Processing of Personally Identifiable Information under this Agreement. Seller shall take any other steps reasonably requested by CE to assist CE in complying with any notification or other obligations applicable to CE or its Affiliates under such laws, rules and regulations. In the event that this Agreement, or any actions to be taken or contemplated to be taken in performance of this Agreement, do not or would not satisfy either party's obligations under such laws, the Parties shall negotiate in good faith an appropriate amendment to this Agreement.

4. To the extent that the Seller operates a commercial website or an online service, Seller acknowledges that in order to perform the services or provide the products contracted for, Seller may have access to student information and, per the Child Online Privacy and Protection Act (COPPA) and this agreement, Seller shall comply with COPPA with respect to the collection of information of children under the age of thirteen (13).

5. At any time during the term of this Agreement, upon prior request and in a reasonable time and manner, Seller agrees to make its internal policies and procedures, practices, books, and records relating to the privacy and security of Personally Identifiable Information and the Processing of Personally Identifiable Information available to CE and/or its Affiliates for review and assessment.

6. Without limiting any provision of these requirements, Seller shall limit access to and possession of Personally Identifiable Information only to those of its personnel and permitted subcontractors whose responsibilities under this Agreement reasonably require such access or possession. Seller represents, warrants, and covenants that all employees providing services hereunder are properly trained and prepared to fulfill Seller's obligations under this Agreement and that permitted subcontractors will be bound by a written agreement containing terms sufficient to give effect to Seller's obligations under this Agreement. Any Processing (or other act or omission by any person that obtains access to or possession of Personally Identifiable Information through Seller) that would be a breach of this Agreement if committed by Seller itself is deemed a breach of this Agreement by Seller for which Seller shall be responsible.

7. Seller shall indemnify and hold CE harmless from and against any and all claims, losses, damages, liabilities and costs (including the costs of notification of Data Subjects, credit monitoring or other risk mitigation steps taken by CE, attorney's fees and other expenses reasonably incurred) arising out of or relating to: (A) a claim by a Data Subject or other third party that is primarily based on the acts or omissions of Seller's employees, agents or subcontractors in the performance of this Agreement, (B) the gross negligence or intentional misconduct by Seller, its employees, agents or subcontractors, or (C) a breach by Seller of any of the terms of this Agreement.