US Student Data Protection Addendum
This U.S. Student Data Protection Addendum ("DPA" or "Addendum") is entered into between the Local Educational Agency using the Replit, Inc. ("Provider") services ("LEA") and Provider (together, the "Parties") on the date on which the LEA first enters into the Replit Terms & Conditions ("Effective Date").
WHEREAS LEA and Provider exchange certain information and Provider may collect certain information on behalf LEA in furtherance of the Services as defined in the Master Services Agreement (“MSA”) between the Parties and intend for this DPA to apply to all information exchanged or collected for the purpose of such Services, unless otherwise expressly agreed by the Parties in writing in advance;
WHEREAS the Provider and LEA recognize the need to protect personally identifiable student information and other regulated data exchanged between them as required by applicable laws and regulations, such as the Family Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. § 1232g (34 CFR Part 99), the Children’s Online Privacy Protection Act (“COPPA”) at 15 U.S.C. § 6501-6506 (16 CFR Part 312), and applicable state privacy laws and regulations, including California Assembly Bill 1584 ("AB 1584") and the Student Online Personal Information Protection Act (“SOPIPA”);
WHEREAS, for the purposes of FERPA, Provider shall be considered a School Official, under the control and direction of the LEAs as it pertains to the use of Student Data.
NOW THEREFORE, the Parties agree as follows:
ARTICLE I: DEFINITIONS
All terms not defined herein shall have the meaning defined in applicable law and regulation or the MSA.
For the purposes of this DPA, the following definitions shall apply:.
LEA Records shall mean (1) information directly related to and capable of identifying a pupil; and (2) content generated by the pupil; where such information is maintained by the LEA or acquired directly from the pupil through the use of instructional software or applications assigned to the pupil by a teacher or other LEA employees, including records requiring protection subject to FERPA or other records requiring equivalent protection for the data of students and minors, pursuant to applicable laws and regulations. LEA Records continue to be the property of and under the control of LEA. Notwithstanding the foregoing, LEA Records do not include Deidentified Data, as defined below.
Deidentified Data shall mean data that does not identify a specific individual and is not reasonably capable of identifying an individual using reasonable means.
ARTICLE II: DUTIES OF PROVIDER
- Privacy Compliance. With respect to LEA Records, Provider shall comply with all applicable state and federal laws and regulations pertaining to data privacy and security.
- Restrictions on Processing. Provider shall not:
- collect, retain, use, or disclose LEA Records for any purpose other than for the specific purpose of performing the Services specified in the MSA for Customer, except that Provider may Deidentify LEA Records and shall own such Deidentified data.
- engage in targeted advertising or retargeting to students or parents using LEA Records;
- use LEA Records, including persistent unique identifiers, created or gathered by the service to amass a profile about a student, except in furtherance of school purposes;
- sell LEA Records;
- disclose LEA Records, unless required by law; for legitimate research purposes; or as part of the maintenance, development, support, operation, or improvement of Provider’s Services in accordance with applicable law.
- Disposition of Data. Upon termination or completion of the terms of the MSA, Provider shall use reasonable efforts to delete or dispose of LEA Records. The duty to delete or dispose of a pupil’s records does not apply to Deidentified Datas.
- Parent and Eligible Student Data Requests.
- Provider shall provide commercially reasonable assistance to LEA for the fulfillment of LEA’s obligations to respond to parent or eligible student requests regarding LEA Records, including requests related to access, correction, or deletion of such records.
- In the event that a parent or guardian of a pupil contacts Provider with any such request regarding LEA Records, Provider shall refer the individuals to the LEA by email, [LEA Request email] and take no further action. LEA acknowledges that it is responsible for assessing and responding to such request upon referral by Provider to the email address specified herein. It is LEA’s sole responsibility to maintain and monitor such email address and to notify Provider of any changes to such email address in writing.
- Data Security.
- Provider shall implement and maintain reasonable and appropriate administrative, physical, and technical security measures appropriate to the nature of the covered information in order to secure data from unauthorized access, destruction, use, modification, or disclosure. Provider will (i) when any LEA Records is under its control, comply with the measures identified below with respect to such records; and (ii) keep documentation of such measures to facilitate audits and where required, for the preservation of evidence.
- Such measures shall include:
- Data Processing Facilities. Provider shall maintain reasonable measures designed to help prevent and detect unauthorized access to the data processing facilities where LEA Records is stored or processed by Provider.
- Provider Systems. Provider shall maintain reasonable measures designed to help prevent and detect unauthorized access of the Provider systems used to process LEA Records.
- Access to LEA Records. Provider shall maintain reasonable measures designed to help prevent and detect unauthorized access to or disclosure of LEA Records.
- Provider Asset Management. Provider shall maintain reasonable measures designed to help ensure reasonable control and configuration of Provider-owned hardware and software assets.
- Provider Application Software Security. Provider shall maintain reasonable measures designed to help address privacy and security considerations in the development of its code for the Provider platform.
- Personnel. Provider shall maintain reasonable technical and organizational measures to help ensure its staff are subject to a contractual or statutory obligation of confidentiality and are regularly trained regarding privacy and security.
ARTICLE III: DUTIES OF LEA
- Privacy Compliance. LEA shall provide data for the purposes of the MSA in compliance with all applicable privacy laws, including FERPA, PPRA, and all applicable state student privacy laws. LEA shall not make any request of Provider if complying with such request would be unlawful for either LEA or Provider.
- Annual Notification of Rights. If the LEA has a policy of disclosing education records under FERPA (4 CFR § 99.31 (a) (1)), LEA shall include a specification of criteria for determining who constitutes a school official and what constitutes a legitimate educational interest in its Annual notification of rights, sufficient to for LEA’s disclosure of such records to Provider in compliance with FERPA and any other applicable law requiring equivalent such notice.
- Reasonable Precautions. LEA shall take reasonable precautions to secure usernames, passwords, and any other means of gaining access to the Services and data hosted by Provider.
ARTICLE IV: SECURITY INCIDENT
In the event either Party identifies or otherwise becomes aware of an actual or reasonably suspected Security Incident (meaning, any unauthorized access, destruction, use, modification, disclosure or acquisition of information requiring confidentiality pursuant to applicable law and/or the MSA), the identifying Party shall report such Security Incident to the other Party without undue delay and shall include written details of such Security Incident, including the type of data affected and the identity of any affected person(s), promptly after such details become known or reasonably available to the identifying Party. Furthermore, in the event of such Security Incident, the identifying Party will: (1) provide timely information and cooperation as the other Party may reasonably require to fulfill its data breach reporting obligations under applicable laws, if any; and (2) take such measures and actions as are appropriate to reasonably remedy or mitigate the effects of such Security Incident. The decision whether to provide notification, public/regulatory communication or press release (each, a “Notification”) concerning any such Security Incident shall be solely at the discretion of the Party whose confidential information may have been affected by such incident, but the content of any Notification that names the other Party or from which the other Party’s identity could reasonably be determined shall be subject to the other Party’s prior approval, which shall not be unreasonably withheld, conditioned or delayed, except as otherwise required by applicable laws, and provided that conditioning of the Notification on the other Party’s approval shall not prevent the identifying Party from complying with applicable laws.