YouScience Data Privacy Addendum
This Data Privacy Addendum (“DPA”) is incorporated by reference into the Local Education Agency Subscription Agreement, available at https://www.youscience.com/local-education-agency-subscription-agreement/, as amended from time to time, or other agreement between YouScience, LLC (“YouScience”) and School governing YouScience’s provision, and School’s receipt, of the Services as set forth in Exhibit B (collectively, the “Agreements”).
- DEFINITIONS. For purposes of this DPA, the following terms shall have the meanings ascribed thereto. Capitalized terms which are not defined herein shall have the meanings ascribed to them in the applicable Agreements or under applicable law or regulation, including, without limitation, FERPA. Other capitalized terms used in this DPA are defined in the context in which they are used and shall have the meanings indicated.
1.1. “Biometric Record” as used in the definition of Personally Identifiable Information, means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual.
1.2. “COPPA” means the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501–6505.
1.3. “Covered Data” shall mean that portion of School Data that constitutes Personally Identifiable Information.
1.4. “Faculty” means School’s administrators, teachers, and counselors who are authorized to access and use the Services.
1.5. “Faculty Personal Account Data” means information, content, or materials created, generated or otherwise provided by Faculty in connection with the Faculty’s personal use of the Services.
1.6. “FERPA” means the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) and the Family Educational Rights and Privacy Act Regulations (34 CFR Part 99), as amended or otherwise modified from time to time.
1.7. “Minor Student” is a Student under the age of 13.
1.8. “Operational Data” means any School Data, User Data, or any other data necessary to provide the Services that is de-identified, or otherwise anonymized, and aggregated by or on behalf of YouScience in a manner that complies with any requirements under applicable law relating to the nature and effect of such aggregation, de-identification, or anonymization and, in all cases, does not, as applicable, identify the source of such School Data or User Data or any individual to whom such School Data or User Data relates.
1.9. “Personally Identifiable Information” means information that alone or in combination, is linked or linkable to a specific Student, including, without limitation: (i) a Student’s name; (ii) the name of the Student’s parent or other family members; (iii) the address of the Student or the Student’s family; (iv) a personal identifier, such as a Student’s social security number, Student number, or Biometric Record; (v) other indirect identifiers, such as a Student’s date of birth, place of birth, and mother’s maiden name; (vi) other School Data that, alone or combination, is linked or linkable to a specific Student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the Student with reasonable certainty; or (vii) information requested by a person who School reasonably believes knows the identity of the Student to whom the School Data relates.“
1.10. “School Data” means the information, content, or materials created, generated or otherwise provided by School to YouScience through or in connection with School’s use of the Services, which may include, without limitation, the official records, files, and data directly related to a Student maintained by School. For clarity, School Data does not include any User Data or Operational Data.
1.11. “Security Incident” means a violation YouScience’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data on systems managed or otherwise controlled by YouScience.
1.12. “Subprocessor” means a third party who YouScience engages for data collection, analytics, storage, processing, or other services to operate and/or improve the Services and who has access to Covered Data.
1.13. “Student” means a student enrolled in the schools within School’s school district or other applicable jurisdiction that is authorized to use the Services. With respect to Students that are under the age of 18 (or applicable age of majority) the term “Student” shall also refer to such Student’s parent or legal guardian.
1.14. “Student Generated Content” means information, content, or materials created, generated or otherwise provided by a Student in connection with the Student’s use of the Services, including, but not limited to, assessment answers and results; preferences and communications; resumes, essays, research reports, portfolios; and the Student’s applications to schools, jobs, scholarships, etc.
1.15. “User” means an individual that is authorized to access and use the Services.
1.16. “User Data” means Faculty Personal Account Data and Student Generated Content.
- PURPOSE AND SCOPE
2.1. Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect School Data, including Covered Data, and User Data, including compliance with all applicable federal, state and local privacy laws, rules and regulations, all as may be amended from time to time.
2.2. School Data and User Data. This DPA covers both School Data provided to YouScience by the School and the User Data provided to YouScience by applicable User. The Schedule of Data set forth in Exhibit C identifies specific data elements and whether the School or the User is the source of such data elements. Without limiting anything set forth herein, School acknowledges and agrees that in the event of any conflict between the specific designation of the source of a specific data element in the Schedule of Data as set forth in Exhibit C below and the generality of such terms in this Agreement, the designation in the Schedule of Data shall control.
- DATA OWNERSHIP AND SECURITY
3.1. School. As between the Parties, School owns all right, title, and interest in and to the School Data, excluding any YouScience Intellectual Property incorporated in or applied to the School Data through or in connection with the operation of the Services.
3.3. Minor Students. The parent or legal guardian of a Minor Student shall own all Student Generated Content of Minor Students.
3.4. YouScience. As between the Parties, YouScience owns all right, title, and interest in and to the Operational Data. YouScience does not acquire any rights, express or implied, in the School Data, other than those specified in this Agreement.
- DATA SECURITY AND USE
4.1. Data Security. YouScience agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data and User Data from unauthorized access, disclosure, acquisition, destruction, use, or modification.
4.2. Processing School Data. In connection with its performance of the Services, YouScience will receive or collect the categories of School Data in as described in the Schedule of Data set forth in Exhibit C. The Parties acknowledge that: (i) School Data may include Personally Identifiable Information from education records that are subject to FERPA (“FERPA Records”); and (ii) to the extent that School Data includes FERPA Records, YouScience will be considered a “school official” with “legitimate educational interests” (as such terms are used in FERPA and its implementing regulations) with respect to such FERPA Records and will comply with YouScience’s obligations under FERPA.
4.3. Processing Data of Minor Students. Where YouScience receives or collects data created, generated or otherwise provided by a Minor Student in connection with the Minor Student’s use of the Services, pursuant to COPPA the School shall stand in the place of the Minor Student’s parent for purposes of consenting to the collection and use of Minor Student data. Notwithstanding the foregoing, the parent or legal guardian of the Minor Student shall and have the right and opportunity to review and delete the Minor Student’s Student Generated Content. Any use or disclosure of Student Generated Content of a Minor Student shall require the express written consent of the parent or legal guardian.
4.4. Permitted Use of School Data. School acknowledges and agrees that YouScience shall have the right to: (i) access School Data to administer, operate, and configure the Services; and (ii) reproduce, translate, encode, publish, use, and distribute School Data to the extent necessary to provide and operate the Services and as otherwise described in this Agreement, or the Service Schedule set forth in Exhibit B and the Documentation.
4.5. Non-Infringement. Without limiting anything set forth in the Agreements, School represents and warrants to YouScience that: (i) School has all necessary rights in and to any and all School Data provided to YouScience in connection with the Agreements; (ii) School Data shall not infringe any third party’s Intellectual Property rights; and (iii) School Data does not contain, promote, or link to material that is pornographic, defamatory, offensive, harassing, malicious, illegal, or otherwise objectionable.
- YOUSCIENCE DUTIES
5.1. Privacy Compliance. With respect to School Data and User Data, YouScience shall comply with all applicable state and federal laws and regulations pertaining to data privacy and security, including without limitation FERPA and COPPA.
5.2. Restrictions on Processing. Except to provide the Services to the School and Students, YouScience shall not:
(a) collect, retain, use, or disclose School Data for any purpose other than the specific purpose of performing the Services specified in the Agreements, provided that YouScience may create Operational Data from the School Data and shall own any such Operational Data;
(b) use any School Data to engage in targeted advertising or retargeting Students;
(c) use School Data, including persistent unique identifiers, created or gathered by or through the Services to amass a profile about a Student;
(d) sell School Data; or
(e) disclose School Data, unless required by law, for legitimate research purposes, or as part of the maintenance, development, support, operation, or improvement of the Services in accordance with applicable law.
For clarity, the foregoing shall not prohibit YouScience from using School Data for adaptive learning or customized student learning purposes, to provide the Services to Users, or as otherwise detailed in the Documentation, the Agreements, and this DPA.
5.3. Deletion and De-identification of Data.
(a) YouScience will permanently delete or de-identify all School Data in YouScience’s possession or under its reasonable control within six (6) months after the conclusion of the Term of the Agreements or at any time upon the School’s request, unless prohibited from doing so by applicable law or court order. YouScience will delete backups of School Data in the normal course of business and as prescribed by YouScience’s data retention policies.
(b) YouScience will permanently delete or de-identify all User Data in YouScience’s possession or under its reasonable control at the termination of the User’s license or at the User’s earlier request.
5.4. Data Requests.
(b) Except as otherwise provided herein, should a third party, excluding a Subprocessor, including, but not limited to, law enforcement or other government entities (a “Requesting Party”) contact YouScience with a request for Covered Data, YouScience shall advise the Requesting Party to request the Covered Data directly from School and shall not provide the requested Covered Data to the Requesting Party, unless and to the extent that YouScience reasonably believes it is compelled to grant such access to the Requesting Party because the disclosure is necessary: (i) pursuant to a court order or legal process; (ii) to comply with statutes or regulations; (iii) to enforce the Agreements; or (iv) to protect the rights, property, or personal safety of YouScience’s users, employees or others. YouScience shall notify School in advance of a compelled disclosure to a Requesting Party, unless lawfully directed by the Requesting Party not to inform School of the request or as otherwise prohibited under applicable laws.
5.5. Data Security. YouScience agrees to utilize administrative, physical, and technical safeguards designed to protect School Data and User Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. Without limiting the generality of the foregoing, YouScience shall implement an adequate Cybersecurity Framework based on one of the nationally recognized standards as set forth in Exhibit A, attached hereto and incorporated herein by reference.
5.6. Data Storage.
(a) School Data shall be stored within the United States. Upon School’s request, YouScience will provide a list of the locations where School Data is stored.
(b) YouScience shall only retain School Data as long as necessary to provide the Services or otherwise comply with its obligations under the Agreements or those arising under applicable laws.
(a) School acknowledges and agrees that YouScience may engage Subprocessors to assist in its performance of the Services. Where YouScience engages any such Subprocessor, YouScience will impose data protection terms on such Subprocessor that provide the same level of protection for Covered Data as those specified in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor. YouScience will remain responsible for all obligations assigned to, and all acts and omissions, of each Subprocessor with respect to each such Subprocessor’s processing of Covered Data.
(b) Upon School’s reasonable written request, YouScience will provide relevant information to School about any Subprocessor engaged by YouScience concerning each such Subprocessor’s processing of Covered Data.
- SCHOOL DUTIES
6.1. Compliance with Applicable Laws. With respect to School Data, School shall comply with all applicable state and federal laws and regulations pertaining to data privacy and security. Without limiting the foregoing, School represents, warrants, and covenants to YouScience, as applicable, that School has:
(a) complied with the Directory Information exemption under FERPA, including, without limitation, informing Students what information School deems to be Directory Information and that such Directory Information may be disclosed, and allowing Students a reasonable amount of time to request School not disclose Directory Information about such Student, and, if applicable, School shall not provide YouScience any Directory Information for any Student that has opted out of the disclosure of such Students Directory Information;
(b) complied with the School Official exemption under FERPA, including, without limitation, in School’s annual notification of FERPA rights, defining “school official” to include Subprocessors and defining “legitimate educational interest” to include services such as the type provided by YouScience; and
(c) obtained all necessary Student written consent to share Covered Data with YouScience to enable YouScience to provide the Services.
6.2. Reasonable Security. School shall employ administrative, physical and technical safeguards consistent with industry standards designed to protect usernames, passwords, and any other means of gaining access to the Services and/or hosted data from unauthorized access, disclosure, or acquisition by an unauthorized person.
6.3. Covered Data Provided. Without limiting anything set forth in the Agreements, except as otherwise agreed by the Parties, School will only provide YouScience the Covered Data specifically identified in the Schedule of Data set forth in Exhibit C, and will do so only to the extent necessary for the purposes described in the Service Schedule set forth in Exhibit B.
7.1. Security Documentation. Upon School’s written request at reasonable intervals, but no more frequently than annually, and subject to the confidentiality obligations set forth in the Agreements, YouScience will make available to School a copy or summary of YouScience’s applicable security documents, which may include, based on the Services provided to the School, YouScience’s most recent third party audits or certifications; provided, however, that such security documents, including, without limitation, any audits, certifications, and the results therefrom, and the documents reflecting the outcome of the audit and/or certifications contained therein, shall (i) be used by School only to assess whether YouScience’s security and privacy measures ensure Covered Data and User Data is protected as it pertains to YouScience’s performance of the Services; and (ii) not be used for any other purpose or disclosed to any third party without YouScience’s prior written approval. Subject to the express requirements under applicable laws to the contrary, upon YouScience’s request, School shall return to YouScience, or permanently delete all such security documentation.
7.2. Right to Audit. Solely as required by applicable law or regulation, YouScience will allow School to conduct audits (including inspections of facilities under our control or as required by law), no more frequently than annually or following a verified Security Incident, to verify YouScience has appropriate security and privacy measures in place to ensure Covered Data and User Data is protected as it pertains to YouScience’s performance of the Services under the Agreements (“School Audit”); provided, however, any such School Audit, including, without limitation, any observations, conclusions, or other results of any such School Audit and any documents reflecting the foregoing (collectively, “School Audit Results”), shall: (i) be used by School only to assess whether YouScience’s security and privacy measures ensure Covered Data and User Data is protected as it pertains to YouScience’s performance of the Services; and (ii) not be used for any other purpose or disclosed to any third party without YouScience’s prior written approval. Subject to the express requirements under applicable laws to the contrary, upon YouScience’s request, School shall return to YouScience, or permanently delete all such School Audit Results in School’s possession or under its control. We may use Subprocessors to store Covered Data and User Data and, thus, such data may be stored at the Subprocessor’s facilities. We may not be able to allow you to inspect the Subprocessor’s facilities. If that is the case, we will provide you the relevant documentation we receive from that Subprocessor regarding the Subprocessor’s security and privacy measures.
7.3. Audit Process. School must send any requests to conduct a School Audit to firstname.lastname@example.org. All costs and expenses related to any audit shall be borne by School. Following YouScience’s receipt of such request, YouScience and School will discuss and agree in advance on the reasonable start date and duration of such School Audit and the scope of YouScience’s security and privacy measures in scope for such School Audit. Notwithstanding the foregoing, unless otherwise agreed by YouScience in writing, any School Audit: (i) shall only occur during YouScience’s normal business hours; (ii) shall be conducted in a manner that minimizes any disruptions to YouScience’s business operations; and (iii) shall be subject to all confidentiality obligations set forth in the Agreements and security measures in effect at YouScience’s applicable business office(s) and data center(s).
7.4. Objection to Auditor. YouScience may object in writing to any auditor appointed by School to conduct any School Audit under this Section 7 if the auditor is, in YouScience’s reasonable opinion, not suitably qualified or independent, a competitor of YouScience, or otherwise manifestly unsuitable. Any such objection by YouScience will require School to appoint another auditor or conduct the School Audit itself.
- SECURITY INCIDENT
8.1. Notice. In the event of a Security Incident, YouScience will notify School promptly and without undue delay (not to exceed forty-eight (48) hours) after YouScience discovers such Security Incident. Such notification of a Security Incident will be delivered to the notice address for School pursuant to the Agreements, or, at YouScience’s discretion, by telephone or other direct communication. Such notification shall include, to the extent known or reasonably available to YouScience, a description of the Security Incident, the Covered Data affected, the identity of affected Students, and other information concerning the Security Incident as required by applicable law. During the Term of the Agreements, YouScience will also promptly notify School if User Data was affected by a Security Incident, unless prohibited from doing so by law.
8.2. Assistance. YouScience will provide reasonable assistance to School to investigate, remediate, and mitigate the effects of a Security Incident and comply with any requirements to notify affected Students, applicable government or law enforcement agencies, and other third parties, all as and to the extent required under applicable laws.
- ADDITIONAL TERMS
9.1. Liability and Indemnification. With respect to any claim, loss, or liability based upon, arising out of, resulting from, or in any way connected with YouScience’s performance or breach of this DPA: (i) YouScience shall only be obligated to indemnify, defend, and hold School harmless to the extent such obligation exists pursuant to YouScience’s indemnification, defense, and hold harmless obligations set forth in the applicable Agreements (if any); and (ii) YouScience’s total liability to School is limited in accordance with the applicable limitations of liability set forth in the applicable Agreements.
9.2. Term. This DPA shall be effective for the Term of Agreements. The provisions of this DPA which by their nature are intended to survive the expiration or earlier termination of this DPA shall continue as valid and enforceable obligations of the Parties notwithstanding any such termination or expiration. Without limitation, the provisions regarding confidentiality, compliance with applicable laws, and restrictions on the processing of Covered Data shall survive the expiration or earlier termination of this DPA.
9.3. Relationship to Agreements. This DPA shall be governed by and construed in accordance with the terms set forth in the applicable Agreements as if fully set forth herein. Without limiting anything set forth herein, the Parties acknowledge and agree that they have taken all actions (if any) required under such Agreements to incorporate this DPA therein. Any dispute arising out of this DPA shall be resolved as set out in the applicable Agreements. The requirements set forth in this DPA are in addition to, and not in lieu of, any similar requirements set forth in the applicable Agreements. Notwithstanding anything to the contrary in the applicable Agreements, to the extent any conflict or inconsistency between the terms of this DPA and such Agreements, this DPA shall control. Except as set forth in this DPA, the Agreements remain in full force and effect, as amended, and are hereby ratified and confirmed in all respects.
9.4. Invalidity. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as completely as possible; or (ii) if (i) is not possible, construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
9.5. Amendments. YouScience may update or modify this DPA from time to time by, without limitation, posting a revised version of this DPA on YouScience’s website and publishing a general notice of such changes via the YouScience website or, as applicable and feasible, through the Services. Subject to compliance with applicable laws, School’s access to or use of the Services after receiving notice of changes to this DPA, whether by general notice or direct notice provided by YouScience to School, shall constitute School’s acceptance of such updates or modifications.
DATA SECURITY FRAMEWORKS
The Education Security and Privacy Exchange works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles (“Cybersecurity Frameworks”). In connection therewith, YouScience may utilize one or more of the below Cybersecurity Frameworks in accordance with its applicable obligations under the DPA. YouScience currently utilizes NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171, but reserves the right utilize one of the other frameworks below at its sole discretion.
|MAINTAINING ORGANIZATION OR GROUP||FRAMEWORK(S)|
|National Institute of Standards and Technology||NIST Cybersecurity Framework Version 1.1|
|National Institute of Standards and Technology||NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171|
|International Standards Organization||Information technology – Security techniques – Information security management systems (ISO 27000 series)|
|Secure Controls Framework Council, LLC||Security Controls Framework (SCF)|
|Center for Internet Security||CIS Critical Security Controls (CSC, CIS Top 20)|
|Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))||Cybersecurity Maturity Model Certification (CMMC, -FAR/DFAR)|
SCHEDULE OF DATA