Last Updated: January 6, 2022
Welcome to Scoir! Please read the following terms of service (the “Agreement”) carefully as they contain the legal terms and conditions of your access to and use of the Services (defined below) provided by SCOIR, Inc. (“Provider”). The term “Client” as used herein means the educational institution, local educational agency, school administrative unit, education industry association, company, or other legal or professional entity that utilizes or intends to utilize the Services. By your accepting this Agreement, either by clicking a box indicating Client’s acceptance or by executing an order form that references this Agreement, you acknowledge that you have read, understand, and agree to the terms of this Agreement and you represent that you have the authority to bind Client to this Agreement. If you do not agree with these terms and conditions, you must not accept this Agreement and Client must not use the Services.
Provider may modify this Agreement at any time and any such modification shall become effective, for then-current clients, thirty days after the “Last Updated” date at the top of this Agreement; provided, however, that Provider must immediately inform Client of any such modification by means of a notice prominently displayed on the Website (defined below). Client’s continued use of the Services after that effective date will be deemed Client’s conclusive acceptance of the modified Agreement. If Client does not consent to an Agreement modification, Client should cease using the Services and terminate this Agreement in accordance with the provisions set forth herein.
1. DEFINITIONS. Capitalized terms defined herein shall have the meanings ascribed to them, including the following terms, which shall have the following meanings:
“Content” means any information inputted into the Website by Provider or by a User and which may be accessible by other Users.
“Client Data” means any information inputted into the Website by Client, at Client’s direction, or with Client’s permission, including, without limitation, information inputted by Invitees, and for which access is restricted to Client, Invitees, and other Users that Client or Invitees may permit.
“Intellectual Property Rights” means any patent, trademark, service mark, copyright, moral right, right in design, know-how and any other intellectual or industrial property rights anywhere in the world whether or not registered.
“Invitee” means any User who is authorized by Client to use the Services, or any portion thereof, and for whom Client has provisioned the Services. Invitees may include, for example, Client’s students and their parents or guardians, teachers, school counselors, and administrators.
“Order Form” means an ordering document or online order form entered into between Client and Provider that identifies Client and specifies the Initial Term (as defined herein) of this Agreement and the fees payable by Client for the Services to be provided hereunder.
“Services” means the online college search, guidance, application, and admissions services provided or made available by Provider through the Website, as further described in Section 2.1.
“User” means any person who creates an account on the Website. Users include, but are not limited to, Invitees.
“Website” means the public Internet site available at the domain https://app.scoir.com and any subdomain thereof.
2. USE OF THE SERVICES.
2.1. Description of Services. The Services are intended to guide high school students in their post-secondary pursuits. The Services enable students to search for and learn about collegiate, scholarship, and career opportunities; to engage with high school counselors and college admissions representatives during the college selection and admissions process; to solicit from high school faculty and administrators the creation and delivery of application-related documents; and to promote and manage their applications to institutions of higher education. The Services include a college guidance management system that enables high schools and affiliated organizations to monitor and assist students in their post-secondary planning; to engage and collaborate with students, parents and guardians, and college admissions representatives; to manage the creation and delivery of application-related documents to colleges; and to collect, analyze, and report on student engagement, academic achievements, and application outcomes.
2.2. Client’s Use. Provider grants Client the right to access and use, and to grant Invitees access to use, the Services for Client’s own lawful and legitimate business or organizational purposes. This right is non-exclusive, non-transferable, and limited by and subject to this Agreement.
2.3. Use by Invitees. Client acknowledges and agrees that:
(a) Client determines who is an Invitee;
(b) Client is responsible for each Invitee’s use of the Services;
(c) Client controls each Invitee’s level of access to the relevant portions of the Services at all times and can revoke or change an Invitee’s access, or level of access, at any time and for any reason;
(d) if there is any dispute between Client and an Invitee regarding access to the Services, or any portion thereof, Client shall use reasonable efforts to resolve such dispute between Client and the Invitee. Provider may, at Provider’s sole discretion, assist with the resolution of any such disputes but Provider is not liable or responsible for resolution of any such dispute.
3. PROVIDER’S RESPONSIBILITIES.
3.1. Provision of Services. Subject to the terms of this Agreement, Provider will make the Services available to Client as more particularly described in an applicable Order Form. Each Order Form will (a) reference this Agreement, (b) be incorporated by reference into this Agreement, and (c) be subject to the terms and conditions of this Agreement.
3.2. User-Generated Content. Provider may, but is not obligated to, monitor or review Content uploaded by Users to ensure that it is not inappropriate, erroneous, defamatory, libelous, slanderous, obscene or profane. Provider, in its sole discretion, may remove any Content from the Website. Notwithstanding the foregoing, Provider will not be liable for the accuracy or appropriateness of any Content. In addition, certain portions of the Services may contain functionality by which Users may post reviews, make recommendations, or give ratings of Content. No review, recommendation, or rating provided within the Services shall be deemed to be either an endorsement by Provider or an accurate statement of quality, competency, experience, or qualification pertaining to the subject matter thereof.
3.3. Privacy and Data Protection. Provider will safeguard the confidentiality of Client Data in accordance with the Data Processing Addendum attached hereto as “Appendix A”.
4. CLIENT’S RESPONSIBILITIES.
4.1. General Obligations. Client must only use the Services for Client’s own lawful and legitimate organizational purposes and in accordance with this Agreement. Client may use the Services on behalf of others or in order to provide services to others solely as permitted by this Agreement.
4.2. Access Conditions. Client shall take reasonable precautions to ensure its Invitees secure usernames, passwords, and any other means of gaining access to the Services and Client Data. Client agrees to not require any Invitees to disclose their passwords.
4.3. Use Conditions. When using the Services, Client represents and warrants that it will:
(a) not attempt to undermine the security or integrity of the Website, the Client Data, the Services, and, where the Services are hosted by a third party, that third party's computing systems and networks;
(b) not use, or misuse, the Services in any way which may impair or degrade the functionality of the Services or Website, or other systems used to deliver the Services or impair or degrade the ability of any other User to use the Services;
(c) not attempt to gain unauthorized access to any of its Invitees’ data or portions of the Services other than those to which Client has been given express permission to access;
(d) not transmit via, or input into, the Website, any (i) files that may damage any User's computing devices or software; (ii) Content that may reasonably be deemed to be offensive to any other User; or (iii) Content or Client Data that violates any law or infringes any Intellectual Property Rights; and
(e) not attempt to modify, copy, adapt, reproduce, disassemble, decompile or reverse engineer any computer programs used to deliver the Services or to operate the Website.
4.4. Communication Conditions. Client acknowledges that communication services made available through the Website (such as a forum, chat room, message center, and help desk) are to be used for lawful, appropriate, and legitimate purposes. Client must not permit its Invitees to use any such communication tool for posting or disseminating material unrelated to the Services, including, but not limited to, commercial solicitations or advertisements. When an Invitee makes any communication on the Website, Client represents that its Invitee is permitted to make such communication. Provider is under no obligation to ensure that communications on the Website are legitimate or that they are related only to the use of the Services. Notwithstanding the foregoing, Provider reserves the right to remove any communication at any time in its sole discretion.
5. THIRD PARTY SERVICES. Through the Services, Client and Invitees may be able to elect to receive services from partners of Provider (each such service, a “Third-Party Service”, and each such partner, a “Partner”). Third-Party Services are not provided on the Website and they are not considered part of the Services covered by this Agreement. Provider is not responsible for Third-Party Services or any material, information or results available through Third-Party Services. Partners may require Client and Invitees to agree to terms and conditions or agreements with respect to their provision of the Third-Party Services. Client or Invitees are solely responsible for, and assume all risk arising from, Client’s or Invitees’ election and receipt of any Third-Party Service. If Client or Invitees elect to receive a Third-Party Service, Client or Invitees, as the case may be, authorize Provider to submit to the applicable Partner certain information about Client or Invitees that such Partner may reasonably request in order to provide the Third-Party Service to Client or Invitees, provided that Provider’s sharing of such information is (i) authorized by Client or Invitees, as the case may be, and (ii) not otherwise prohibited by applicable law or regulation (the “Shared Information”). Client is responsible for the accuracy of all Shared Information provided to Provider and approved to be submitted to Partners. Client represents and warrants that Client have all the rights in and to any Shared Information necessary to provide Shared Information, and that Provider’s use of Shared Information as contemplated hereunder will not violate any rights of privacy or other proprietary rights, or any applicable local, state or federal laws, regulations, orders or rules. Client and Invitees agree that, by electing to receive a Third-Party Service and consenting and authorizing Provider to submit your Shared Information to a Partner, Client and Invitees have waived and released any claim against Provider arising out of a Partner’s use of Shared Information.
6. FEES AND PAYMENTS.
6.1. Service Fees. Certain ancillary services, such as implementation and training services, may be fee-bearing. Client agrees to pay for the Services and all ancillary services, if applicable, in accordance with the fee schedule set forth on the Order Form. Client’s access to and use of the Services is contingent upon Client’s timely payment of such fees. All fees paid by Client are non-refundable except as otherwise provided for in Section 7.4.
6.2. Changes to Fees. Provider reserves the right to introduce new fee-bearing services and to change the schedule of fees from time to time upon no less than 30 days’ advance notice to Client; provided, however, that such fee changes for Services then in effect on Client’s account shall not become effective until the end of the then-current Term, as set forth on the Order Form. If a fee change to the Services is not acceptable, Client may terminate this Agreement as provided herein prior to the time when such changes takes effect. Client’s continued use of the Services constitutes Client’s agreement to those changes.
6.3. Non-Payment. If Client fails to pay amounts due under Section 6.1, Provider’s sole recourses are to suspend the Services until amounts due are paid in full and to terminate this Agreement pursuant to Section 7.3. Notwithstanding the foregoing, if any Client payment is dishonored or returned because it cannot be processed by a bank, Provider reserves the right to charge Client any bank fees or charges for return items that Scoir incurs.
7. TERM; TERMINATION.
7.1. Term. This Agreement shall become effective on the date of Client’s acceptance hereof and shall continue for the period set forth in the Order Form (“Initial Term”). At the end of the Initial Term, and each subsequent anniversary thereof, this Agreement shall automatically renew for an additional one-year period (“Renewal Term”) unless either party gives the other notice of non-renewal at least 30 days before the end of the relevant Initial Term or Renewal Term or until terminated pursuant to Section 7.2.
7.2. Termination for Convenience. Client may, and shall be deemed to, terminate this Agreement effective on the commencement date of any Renewal Term by failing to pay the subscription fees due for such Renewal Term within thirty (30) days of the commencement date of the Renewal Term. Client may otherwise terminate this Agreement at any time for any reason, or for no reason, by providing Provider with 30 days’ advance written notice. No prepaid fees shall be or become refundable upon termination pursuant to this Section 7.2.
7.3. Termination for Cause. Either party may terminate this Agreement for cause in the event that the other party materially breaches any provision of this Agreement and such breach, if capable of being cured, is not cured within 30 days of receiving written notice of such breach from the terminating party.
7.4. Post-Termination Rights. If this Agreement is terminated by Client in accordance with Section 7.3, Provider will refund Client any prepaid fees relating to Client’s access and use of the Services after the effective date of termination. Upon request by Client made within 30 days of the effective date of termination of this Agreement, Provider will make the Client Data available to Client for export or download. After such 30-day period, Provider will have no obligation to retain or make available to Client any Client Data, unless legally required, and Provider will dispose of such Client Data as provided in Appendix A. Provider shall not be liable for any costs, losses, damages, or liabilities arising out of or related to termination of this Agreement.
7.5. Surviving Provisions. Sections 6 (Fees and Payments), 7.4 (Post-Termination Rights), 7.5 (Surviving Provisions), 8 (Proprietary Rights), 10 (Disclaimer), 11 (Limitation of Liability) and 12 (General Provisions) will survive any terminated of this Agreement.
8. PROPRIETARY RIGHTS
8.1. General. Provider, or its licensors, owns all worldwide right, title and interest in and to the Website, Content, and software applications used to provide the Services. This Agreement does not convey any proprietary interest in or to any of Provider’s Intellectual Property Rights or rights of entitlement to the use thereof except as expressly set forth herein.
8.2. Ownership of Client Data. Title to, and all Intellectual Property Rights in, the Client Data remain Client’s property. However, Client’s access to the Client Data is contingent on Client’s compliance with the terms and conditions of this Agreement. Client hereby grants Provider a license to use, copy, transmit, store, and back-up the Client Data for the purposes of enabling and supporting Client’s continued access to and use the Services, and for any other purpose related to provision of services to Client.
8.3. Third-Party Services and Client Data. If Client enables any Third-Party Service for use in conjunction with the Services, Provider shall not be responsible for any disclosure, modification or deletion of Client Data resulting from any such access by Third-Party Service.
8.4. User Feedback. Any feedback, comments and suggestions Client or Invitees may provide for improvements to the Services shall be deemed to have been given voluntarily and Provider will be free to use, disclose, reproduce, license or otherwise distribute, and exploit such feedback as Provider sees fit, entirely without obligation or restriction of any kind.
9. INDEMNIFICATION
9.1. Infringement Indemnification. Provider shall indemnify, defend, protect, and hold harmless Client, its affiliates, officers, directors, and employees, from and against any and all damages awarded by a court, arbitration, or settlement, including associated penalties, fines, and expenses arising out of or incurred by the Client as a result of any actual or threatened claim alleging that the licensing, use, or other exploitation of the Services by Client in accordance with the rights granted hereunder constitutes, under applicable laws of any jurisdiction within the United States of America, an infringement, dilution, or unauthorized use of any patent, copyright, trademark, or trade secret of any third-party. In the event that (i) some or all of the Services is held by a court of competent jurisdiction to infringe; (ii) an injunction is obtained against use of any material portion of the Services; or (iii) Client believes in its good faith judgment that the Services is infringing, then Provider shall promptly, at its sole option and expense, (a) procure for Client the right to continue to use the infringing Services; (b) replace or modify the infringing Services to make its use non-infringing while being capable of performing essentially the same functions; or (c) require Client to return or remove the infringing Services and cancel all rights thereto. If Provider implements option (iii) above, then Client may, at its option, terminate this Agreement, with immediate effect upon written notice to Provider, and be entitled to recover all amounts paid by Client during the Term that directly relate to the infringing Services.
9.2. Exclusions. Notwithstanding the foregoing, Provider will have no obligation under this Section 9 or otherwise with respect to any infringement claim based upon (i) any use of the Services not in accordance with this Agreement; (ii) any use of the Services in combination with other products, equipment, software or data not supplied by Provider; or (iii) any modification of the Services by any person other than Provider or its authorized agents.
9.3. Obligations. Provider’s indemnifying obligations set forth above are expressly conditioned upon each of the following: (i) Client will promptly notify Provider in writing of any threatened or actual claim; (ii) Provider will have sole control of the defense and settlement, if any, of any claim giving rise to the indemnity obligations herein; provided, however, that no settlement will be binding against Client without Client’s prior written consent; and (iii) Client will cooperate with Provider to facilitate the defense and settlement, if any, of any claim.
9.4. Exclusive Remedy. This Section 9 states the entire liability of Provider and the sole and exclusive remedy of Client and any of its affiliates, officers, directors, and employees for infringement claims and actions related hereto.
10. DISCLAIMER. Client’s use of the Services is entirely at Client’s own risk. Provider is not in the business of providing student counseling, college guidance, or any other professional advisory services. The Services are provided "AS IS" and on an “AS AVAILABLE” basis. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PROVIDER DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS EXPRESS OR IMPLIED, INCLUDING THOSE OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, NON-INFRINGEMENT, OR THE ACCURACY, RELIABILITY, QUALITY OF ANY CONTENT, DATA, OR INFORMATION IN OR LINKED TO THE SERVICE. EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS. PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE COMPLETELY SECURE, FREE FROM BUGS, VIRUSES, INTERRUPTION, ERRORS, THEFT OR DESTRUCTION.
11. LIMITATION OF LIABILITY
11.1. Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, GOODWILL, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
11.2. Limitation of Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY, TOGETHER WITH ALL OF ITS AFFILIATES, ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE GREATER OF (A) THE TOTAL AMOUNT PAID BY CLIENT FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE TWELVE MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE, AND (B) FIVE HUNDRED U.S. DOLLARS. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT CLIENT’S PAYMENT OBLIGATIONS SET FORTH HEREIN.
11.3. Exceptions. EXCLUSIONS AND LIMITATIONS SET FORTH IN THIS SECTION 11 WILL NOT APPLY TO CLAIMS PERTAINING TO PROVIDER’S UNAUTHORIZED DISCLOSURE OF DATA IN VIOLATION OF THE DATA PROCESSING ADDENDUM (APPENDIX A), AND DAMAGES RESULTING FROM A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT.
12. GENERAL PROVISIONS
12.1. Publicity. Neither party may publicize the relationship created by, or Services provided pursuant to, this Agreement without the other party’s express prior written consent. Notwithstanding the foregoing, Provider hereby grants Client permission to display Provider’s name, Provider’s logo, and links to the Website on Client’s websites and other materials as necessary to promote the Services to Invitees.
12.2. No Agency. For the avoidance of doubt, Provider is entering into this Agreement as principal and not as agent for any other company. Subject to any permitted assignment under Section 12.6, the obligations owed by Provider under this Agreement shall be owed to Client solely by Provider and the obligations owed by Client under this Agreement shall be owed solely to Provider.
12.3. Governing Law. This Agreement shall be interpreted, governed and construed in accordance with the laws of the state where Client is principally located. The parties hereby agree that any dispute may be heard by any state or federal court located within the capital city or principal city of the state.
12.4. Entire Agreement; Amendments. This Agreement, including all subsequent modifications hereto, is the entire agreement between Client and Provider regarding Client’s use of Services and it supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. This Agreement may be amended and the observance of any provision of this Agreement may be waived only with the signed written consent of both parties. Neither failure nor delay on the part of any party in exercising any right, power, or privilege hereunder shall operate as a waiver of such right, nor shall any single or partial exercise of any such right, power, or privilege preclude any further exercise thereof or the exercise of any other right, power, or privilege.
12.5 Supplemental Terms. Client’s use of, and participation in, certain services may be subject to additional terms and such terms will either be listed on the Website or will be presented to Client or Invitees for acceptance prior to use of the supplemental services.
12.6. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety (together with all Order Forms) without the other party’s consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.
12.7. Relationship of the Parties. Provider is an independent contractor to Client. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.
12.8. Third-Party Beneficiaries. There are no third-party beneficiaries under this Agreement.
12.9. Waiver. No delay or omission of a party to exercise any right hereunder shall be construed as a waiver of any such right and such party reserves the right to exercise any such right from time to time, as often as may be deemed expedient.
12.10. Severability. Any provision of this Agreement that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this Agreement, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such provision in any other jurisdiction.
12.11. Public Inspection of Agreement. Provider acknowledges and agrees that this Agreement and all related Order Forms and associated documents provided to Client, may be public records subject at all times to public inspection.
12.12. Counterparts. This Agreement may be executed in any number of identical counterparts. If so executed, each of such counterparts shall constitute this Agreement. In proving this Agreement, it shall not be necessary to produce or account for more than one such counterpart. Execution and delivery of this Agreement by electronic format shall constitute valid execution and delivery and shall be effective for all purposes.
APPENDIX A: DATA PRIVACY ADDENDUM
This Data Privacy Addendum (“DPA”) forms a part of and is incorporated into the Client Services Agreement between SCOIR, Inc., as Provider, and Client. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. The parties agree as follows:
ARTICLE I: DEFINITIONS
“Applicable Law” means the federal and state statutes and regulations applicable to Client Data and Student Data including the following, to the extent applicable: Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (“FERPA”); Children’s Online Privacy Protection Act, 15 U.S.C. § 6501-6502 (“COPPA”); Protection of Pupil Rights Amendment, 20 U.S.C. 1232h (“PPRA”); Individuals with Disabilities Education Act, 20 U.S.C. § 1400 et seq. (“IDEA”); and each specifically applicable state regulation, as provided in Exhibit A.
“De-Identified Information” means data from which all Personally Identifiable Information has been removed or obscured in a way that reasonably removes the risk of disclosure of the identity of the individual and information about them (e.g., by blurring, masking, or perturbation). De-identification should ensure that any information when put together cannot reasonably indirectly identify the student, not only from the viewpoint of the public, but also from the vantage of those who are familiar with the individual. Information cannot be de-identified if there are fewer than twenty (20) students in the samples of a particular field or category, e.g., fewer than twenty students in a particular grade or fewer than twenty students of a particular ethnicity.
“Personally Identifiable Information” means any Student Data and metadata obtained by reason of the use of the Services, whether gathered by Provider or provided by Client or its Invitees. Personally Identifiable Information includes, without limitation, indirect identifiers that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty. For purposes of this DPA, Personally Identifiable Information shall include the categories of information listed in the definition of Student Data.
“School Official” means, consistent with 34 CFR 99.31(a)(1)(i)(B), a contractor that: (1) performs an institutional service or function for which the agency or institution would otherwise use employees; (2) is under the direct control of the agency or institution with respect to the use and maintenance of education records; and (3) is subject to 34 CFR 99.33 governing the use and re-disclosure of Personally Identifiable Information from student records.
“Student Data” means any Personally Identifiable Information, whether gathered by Provider or provided by Client or its Invitees, that is descriptive of Client’s student Invitees, including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information allowing online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents student identifies, search activity, photos, voice recordings or geolocation information. Student Data includes Student Records and Student-Generated Content (to the extent identifiable to a User) for the purposes of this DPA and for the purposes of Applicable Law. De-Identified Information or anonymous usage data regarding a User’s use of the Services shall not be considered Student Data.
“Student-Generated Content” means materials or content created by a student during and for the purpose of education including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of student content.
“Student Records” means (1) any information that directly relates to a student that is maintained by Client; and (2) any information acquired directly from a student through the use of instructional software or applications assigned to the student by Client or its Invitees.
“Subprocessor” means a Third Party that Provider uses for data collection, analytics, storage, or other service to operate and/or improve its software, and who has access to Personally Identifiable Information.
“Targeted Advertising” means presenting an advertisement to a student where the selection of the advertisement is based on Student Data or inferred over time from the usage of the Services by such student or the retention of such student’s online activities or requests over time.
“Third Party” means an entity that is not Provider or Client.
ARTICLE II: PURPOSE AND SCOPE
1. Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data transmitted to Provider from the Client pursuant to the Agreement, including compliance with Applicable Law. In performing the Services, to the extent Personally Identifiable Information from Student Data is transmitted to Provider from Client, Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the Client. Provider shall be under the direct control and supervision of the Client.
2. Nature of Services Provided. Provider has agreed to provide the Services described in the Agreement.
3. Student Data to Be Provided. In order to perform the Services described in this Article and the Agreement, Client or Invitees may provide some or all of the data described in the Schedule of Data, attached hereto as Exhibit B.
4. Governing Terms. In the event of a conflict with the Agreement, the terms and conditions of this DPA shall prevail with regards to the subject matter hereof.
ARTICLE III: DATA OWNERSHIP AND AUTHORIZED ACCESS
1. Student Data Property of Client. All Student Data transmitted to Provider pursuant to this DPA is and will continue to be the property of and under the control of the Client or the party who provided such data (such as the Invitee). Provider further acknowledges and agrees that all copies of such Student Data transmitted to Provider, including any modifications or additions or any portion thereof from any source, are also subject to the provisions of this DPA in the same manner as the original Student Data. The parties agree that as between them, all rights, including all Intellectual Property Rights in and to Student Data contemplated pursuant to this DPA shall remain the exclusive property of the Client. For the purposes of Applicable Law, Provider shall be considered a School Official, under the control and direction of Client as it pertains to the use of Student Data notwithstanding the above. Provider may transfer certain Student Data to a separate account according to the procedures set forth below.
2. Parent Access. Client shall establish reasonable procedures by which a parent, legal guardian, or eligible student may review Student Data maintained by Provider, correct erroneous information, and procedures for the transfer of Student-Generated Content to a personal account, consistent with the functionality of the Services. Provider will cooperate and respond within five (5) days to Client’s request to view or correct Student Data maintained by Provider. In the event that a parent of a student or other individual contacts Provider to review any of the Student Records or Student Data accessed pursuant to the Services, Provider shall refer the parent or individual to the Client, and Client will follow the necessary and proper procedures regarding the requested information.
(a) Parents Bill of Rights. Notwithstanding the foregoing, if Client is a public educational institution located in the State of New York, then the "Parents Bill of Rights for Data Privacy and Security" as published on Client's website, which is hereby incorporated by reference, shall, in the event of conflict, supersede the provisions of Article III, Section 2.
3. Separate Account. Provider shall transfer Student Data transmitted to Provider by a student to a separate User account for each student Invitee upon termination of the Agreement or a student’s earlier graduation from Client; provided, however, that such transfer shall only apply to such Student Data that is severable from the Services.
4. Third Party Request. Should a Third Party, including, but not limited to law enforcement, former employees of the Client, current employees of the Client, and government entities, contact Provider with a request for Student Data held by Provider pursuant to the Services, Provider shall, to the extent permitted by Applicable Law, redirect the Third Party to request the Student Data directly from the Client and shall cooperate with the Client to collect the required information. Provider shall notify the Client in advance of a compelled disclosure to a Third Party, unless legally prohibited. Provider will not disclose, lend, lease, transfer, or sell the Student Data and/or any portion thereof to any Third Party or allow any Third Party to use the Student Data and/or any portion thereof, without the express written consent of the Client or without a court order or lawfully issued subpoena. Student Data shall not include De-Identified Information or anonymous usage data regarding a student’s use of the Services.
5. No Unauthorized Use. Provider shall not use Student Data for any purpose other than as explicitly specified in this DPA.
6. Subprocessors. Provider shall enter into written agreements with all Subprocessors performing functions pursuant to this DPA, whereby the Subprocessors agree to protect Student Data in manner consistent with the terms of this DPA.
ARTICLE IV: DUTIES OF CLIENT
1. Privacy Compliance. Client shall provide Student Data for the purposes of the DPA in compliance with Applicable Law.
2. Annual Notification of Rights. If Client is subject to FERPA, then Client shall ensure that its annual FERPA notice designates Provider as a “School Official” pursuant to 34 CFR § 99.31(a)(1)(i)(B) and that, in providing the Services, Provider has a "legitimate educational interest" pursuant to 34 CFR § 99.7(a)(3)(iii).
3. Unauthorized Access Notification. Client shall notify Provider promptly of any known or suspected unauthorized access. Client will assist Provider in any efforts by Provider to investigate and respond to any unauthorized access.
ARTICLE V: DUTIES OF PROVIDER
1. Privacy Compliance. Provider shall comply with all Applicable Law with respect to the privacy and security of Student Data and the handling of any breach or unauthorized release of Personally Identifiable Information.
2. Authorized Use. Student Data shared pursuant to this DPA, including persistent unique identifiers, shall be used for no purpose other than the Services stated in this DPA, as authorized by Client, or as authorized by the applicable student or parent. Provider also acknowledges and agrees that it shall not make any re-disclosure of any Student Data or any portion thereof, including without limitation, any meta data, user content or other non-public information and/or Personally Identifiable Information contained in the Student Data, unless the Client has given express written consent, it is De-Identified Information, or this DPA otherwise allows its disclosure.
3. Employee Obligation. Provider shall require all employees and agents who have access to Student Data to comply with all applicable provisions of this DPA with respect to the data shared under this DPA. Provider agrees to require and maintain an appropriate confidentiality agreement from each employee or agent with access to Student Data pursuant to the DPA.
4. No Disclosure. De-Identified Information may be used by Provider for the purposes of development, research, and improvement of educational sites, services, or applications, as any other member of the public or party would be able to use de-identified data pursuant to 34 CFR 99.31(b). Provider agrees not to attempt to re-identify De-Identified Information and not to transfer De-Identified Information to any party unless (a) that party agrees in writing not to attempt re-identification, or (b) prior written notice has been given to the Client who has provided prior written consent for such transfer. Provider shall not copy, reproduce or transmit any data obtained under this DPA and/or any portion thereof, except as necessary to fulfill the DPA.
5. Disposition of Data. Provider shall dispose, delete, or de-identify, in accordance with NIST Special Publication 800-88, all Personally Identifiable Information obtained under the DPA when it is no longer needed for the purpose for which it was obtained. If requested by Client prior to such disposition, Provider shall first transfer a copy of said data to Client, or Client’s designee, according to a schedule and procedure reasonably agreed between the parties. Nothing in the DPA authorizes Provider to maintain Personally Identifiable Information beyond the time period reasonably needed to complete the disposition. Provider shall provide written notification to Client when the data has been disposed. The duty to dispose of Student Data shall not extend to De-Identified Information or data placed in a separate User account, pursuant to the other terms of the DPA.
6. Advertising Prohibition. Provider is prohibited from using Student Data to (a) inform, influence, or enable Targeted Advertising to students or families/guardians; (b) develop a profile of a student, family member/guardian or group, for any commercial purpose other than providing the Services; or (c) develop commercial products or services unrelated to the Services provided to Client.
ARTICLE VI: DATA PROVISIONS
1. Data Security. Provider agrees to maintain and abide by a comprehensive information security program that includes appropriate administrative, technological, and physical safeguards consistent with industry best practices to protect the security, privacy, confidentiality, and integrity of Student Data. General security duties of Provider are as follows:
(a) Passwords and Employee Access. Provider shall secure usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by Draft National Institute of Standards and Technology (“NIST”) Special Publication 800-63-3 Digital Authentication Guideline. Provider shall only provide access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall, where permissible by law, be subject to criminal background checks.
(b) Security Protocols. Each party agrees to maintain security protocols that meet industry practices regarding the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. Provider shall not copy, reproduce, or transmit data obtained pursuant to the DPA, except as necessary to fulfill the purpose of data requests by Client. The foregoing does not limit the ability of Provider to allow any necessary service providers to view or access data as provided in this Agreement.
(c) Employee Training. Provider shall provide periodic security training to those of its employees who operate or have access to the system. Further, Provider shall provide Client with contact information of an employee who Client may contact if there are any security concerns or questions.
(d) Security Technology. When the Services are accessed using a supported web browser, Secure Socket Layer or equivalent technology shall be employed to protect data from unauthorized access. The Services security measures shall include server authentication and data encryption. All data shall be encrypted in transmission and at rest in accordance with NIST Special Publication 800-57, as amended. Provider shall host all Services data in SOC 2 compliant environments located within the United States of America.
(e) Subprocessors Bound. Provider shall enter into written agreements whereby Subprocessors agree to secure and protect Student Data in a manner consistent with the terms of this Article VI and in accordance with Applicable Law. Provider shall periodically conduct or review compliance monitoring and assessments of Subprocessors to determine their compliance with this Article.
(f) Periodic Risk Assessment. Provider further acknowledges and agrees to conduct periodic risk assessments and remediate any identified security and privacy vulnerabilities in a timely manner.
(g) Backups. Provider agrees to maintain backup copies, backed up at least daily, of Student Data in case of Provider’s system failure or any other unforeseen event resulting in loss of Student Data or any portion thereof.
(h) Audits. Upon receipt of a reasonable request from the Client, Provider will allow the Client to audit, at Client’s expense, the security and privacy measures that are in place to ensure protection of the Student Record or any portion thereof. Provider will cooperate fully with the Client and any local, state, or federal agency with oversight authority/jurisdiction in connection with any audit or investigation of Provider and/or delivery of Services to students and/or Client, and shall provide full access to Provider’s facilities, staff, agents and Client’s Student Data and all records pertaining to Provider, Client and delivery of Services to Provider.
2. Data Breach. In the event that Student Data is accessed or obtained by an unauthorized individual, Provider shall notify Client within a reasonable amount of time of its discovery of the incident, not to exceed forty-eight (48) hours. Provider shall follow the following process:
(a) The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What Provider Are Doing,” “What Client Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
(b) The security breach notification described above in section 2(a) shall include, at a minimum, the following information:
(i) The name and contact information of the reporting Client subject to this section.
(ii) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
(iii) If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice.
(iv) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
(v) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
(vi) Information about what Provider has done to protect individuals whose information has been breached.
(vii) Advice on steps that the person whose information has been breached may take to protect himself or herself.
(c) Provider further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including Personally Identifiable Information and agrees to provide Client, upon request, with a copy of said written incident response plan.
(d) Only upon the written request of, and with the assistance of, Client shall Provider notify the affected Invitee of the unauthorized access, which notice shall include the information listed in subsection (b) above.
EXHIBIT A: APPLICABLE STATE LAW
If Client is located in: |
the following laws will be included in “Applicable Law”: |
Arizona |
Ariz. Rev. Stat. § 15-1046 |
Arkansas |
AR Code § 6-18-109, Student Online Personal Information Protection Act (“SOPIPA”) |
California |
Cal. Ed. Code § 49073.1 Cal. Bus. & Prof. Code § 22584, Student Online Personal Information Protection Act (“SOPIPA”) Cal. Civ. Code § 1798.82 |
Colorado |
C.S.R. §§ 22-16-108 through 22-16-111, Student Data Transparency and Security Act (“SDTSA”) |
Connecticut |
Conn. Gen. Stat. §§ 10-234aa through 10-234dd |
Delaware |
Del. Code tit. 14 § 81A, Student Data Privacy Protection Act |
District of Columbia |
DC Code § 38-831.01 – 38-831.02 |
Florida |
Fla. Stat. § 1001.41 Fla. Stat. § 1002.22 |
Georgia |
GA Code § 20-2-666 |
Hawaii |
HI Rev. Stat. § 302A 499-500, Student Online Personal Information Protection Act (“SOPIPA”) |
Idaho |
Idaho Code § 33-133 |
Illinois |
105 Ill. Comp. Stat. § 10, Illinois School Student Records Act (“ISSRA”) 105 Ill. Comp. Stat. § 85, Student Online Personal Protection Act (“SOPPA”) |
Iowa |
IA Code § 279.70, Student Online Personal Information Protection Act (“SOPIPA”) |
Kansas |
Kan. Stat. § 72.6331 et. seq., Student Online Personal Protection Act (“SOPPA”) |
Kentucky |
Ky. Rev Stat § 365.734 |
Louisiana |
La. Rev. Stat. § 17:3914 La. Rev. Stat. § 51:3071 et seq. |
Maine |
Me. Rev. Stat. tit. 20 § 951 et. seq., the Student Information Privacy Act (“SIPA”) |
Maryland |
MD Educ. Code § 4-131 |
Massachusetts |
603 Code Mass. Regs. 23.00, Student Records Mass. Gen. Laws ch. 71, §§ 34D - 34H |
Michigan |
Mich. Comp. Laws §§ 388.1291 – 388.1295, Student Online Personal Protection Act (“SOPPA”) |
Nebraska |
NE Code § 79-2,153 – 79-2,155, Student Online Personal Protection Act (“SOPPA”) |
Nevada |
NV Rev Stat § 388.281 – 388.296 |
New Hampshire |
NH Rev. Stat. § 189:1-e NH Rev. Stat. § 189:65 through 189:68-a |
New York |
N.Y. Ed. Law § 2-d |
North Carolina |
N.C. Gen. Stat. § 115C-401.2, Student Online Privacy Protection Act (“SOPPA”) |
Ohio |
Ohio Student Records Privacy Act, R.C. § 3319.321 |
Oregon |
Or. Rev. Stat. § 336.184, Oregon Student Information Protection Act ("OSIPA”) Or. Rev. Stat. § 326.565, et seq. |
Rhode Island |
R.I. Gen. Laws § 16-104-1 |
Tennessee |
Tenn. Code Ann. § 49-1-708, Student Online Personal Protection Act (“SOPPA”) |
Texas |
Tex. Ed. Code ch. 32 §§ 151-157 |
Utah |
Utah Code § 53E-9-301 et. seq. |
Virginia |
Va. Code § 22.1-289.01 |
Washington |
Wash. Rev. Code § 19.255.010 Wash. Rev. Code § 28A.604, Student User Privacy in Education Rights (“SUPER”) Act Wash. Rev. Code § 42.56.590 |
Wisconsin |
Wis. Stat. § 118.125 Wis. Stat. § 134.98 |
EXHIBIT B: SCHEDULE OF DATA
Category of Data |
Elements |
Check ("X") indicates potential use in Services |
Application Technology Metadata |
IP Addresses, Use of cookies etc. |
|
Other application technology metadata: N/A |
||
Application Use Statistics |
Metadata on user interaction with application |
X |
Assessment |
Standardized test scores |
X |
Observation data |
||
Other assessment data: Student Personality & Career Assessments |
X |
|
Attendance |
Student school (daily) attendance data |
|
Student class attendance data |
||
Communications |
Online communications that are captured (emails, blog entries) |
X |
Conduct |
Conduct or behavioral data |
|
Demographics |
Date of Birth |
X |
Place of Birth |
||
Sex or Gender |
X |
|
Ethnicity or race |
X |
|
Language information (native, preferred or primary language spoken by student) |
||
Other demographic information: N/A |
||
Enrollment |
Student school enrollment |
X |
Student grade level |
X |
|
Homeroom |
X |
|
Guidance counselor |
X |
|
Specific curriculum programs |
||
Year of graduation |
X |
|
Other enrollment information: N/A |
||
Guardian / Parent Contact Information |
Address |
X |
|
X |
|
Phone |
X |
|
Guardian / Parent ID |
Parent ID number (created to link parents to students) |
X |
Guardian / Parent Name |
First and/or Last |
X |
Schedule |
Student scheduled courses |
|
Teacher names |
||
Special Indicator |
English language learner information |
|
Low income status |
||
Medical alerts |
||
Student disability information |
||
Specialized education services (IEP or 504) |
||
Living situations (homeless/foster care) |
||
Other indicator information(specify): First Generation College Student |
X |
|
Student Contact Information |
Address |
X |
|
X |
|
Phone |
X |
|
Student Identifiers |
Local (School district) ID number |
X |
State ID number |
|
|
Vendor/App assigned student ID No. |
X |
|
Student app username |
X |
|
Student app passwords |
|
|
Student Name |
First and/or Last |
X |
Student In-App Performance |
Program/application performance (e.g., typing program-student types 60 wpm, reading program-student reads below grade level) |
|
Student Program Membership |
Academic or extracurricular activities a student may belong to or participate in |
X |
Student Survey Responses |
Student responses to surveys or questionnaires |
X |
Student work |
Student generated content; writing, pictures etc. |
X |
Other student work data: N/A |
|
|
Transcript
|
Student course grades |
X |
Student course data |
X |
|
Student course grades/performance scores |
X |
|
Other transcript data: N/A |
|
|
Transportation |
Student bus assignment |
|
Student pick up and/or drop off location |
|
|
Student bus card ID number |
|
|
Other transportation data: N/A |
|