Universal Data Sharing Agreement

This data sharing agreement was last modified on August 23, 2018.

These data privacy and usage terms (the “Universal Data Sharing Agreement”) apply to all: (i) schools, school districts, and related organizations (collectively, the “School”) that use the Clever Platform (as defined below) to procure the rights to use the education related applications and services provided by Developers (the “Developer Product(s)”); and (ii) providers of Developer Products (each a “Developer”).

The purpose of this Universal Data Sharing Agreement is to describe the duties and responsibilities to protect Student Data (as defined below) transmitted by School to Developer pursuant to the Agreement (as defined below), including compliance with Privacy Laws (as defined below).

PLEASE READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY, AS THEY CONSTITUTE A LEGAL AGREEMENT BETWEEN SCHOOL AND DEVELOPER. School and the Developer are collectively the parties to this Universal Data Sharing Agreement (the “Parties”). School and Developer each acknowledge and agree that Clever, Inc. (“Clever”) is not a party to the Agreement and will have no liability to any party hereunder.

If you are procuring or providing Developer Products via the Clever Platform on behalf of a company, entity, or organization then you represent and warrant that you are an authorized representative of School procuring, or Developer providing, the Developer Products with the authority to bind such organization to these terms, and that you agree to these terms on behalf of such organization.

For Schools: By checking the box marked [“I Agree”] (or, during the procurement of a Developer Product on the Clever Platform, School otherwise affirmatively states the desire to procure the Developer Product), School signifies that it has read, understood, and agrees to be bound by this Universal Data Sharing Agreement, otherwise School may not use the Developer Product.

For Developers: By signing and agreeing to the Developer Addendum for the Clever Universal Data Sharing Agreement, Developer signifies that it has read, understood, and agrees to be bound by this Universal Data Sharing Agreement with each School that utilizes the Clever Platform to procure a Developer Product(s), otherwise Developer may not make its Developer Product(s) available on the Clever Platform.

This Universal Data Sharing Agreement is hereby attached to and incorporated into the Developer Terms that were entered into between School and Developer when School checked the box marked [“I Agree”] to affirm acceptance of the Developer Terms or by any other agreement between the Parties for the provision of the Developer Product (the “Developer Terms”). The Developer Terms, this Universal Data Sharing Agreement and any other agreement between the Parties for the provision of the Developer Product are collectively referred to hereinafter as the “Agreement.” Clever will notify the Parties via email in advance of any material changes to this Universal Data Sharing Agreement. Upon making changes, Clever will update the “Last Modified Date” found at the top of this page. For School, continued use of the Developer Product, and for Developer, continued provision of the Developer Product via the Clever Platform, after any changes constitutes acceptance of the new terms.

1. DEFINITIONS

The capitalized defined terms used in this Universal Data Sharing Agreement will have the meanings set forth in this Section 1 and as otherwise defined herein.

1.1 “Clever Platform” means either: (i) the “Clever Platform” as defined in the Clever Developer Agreement by and between Clever and Developer, or (ii) the “Services” as defined in the Clever Services Agreement located at https://clever.com/about/terms by and between Clever and School or Developer; depending on which agreement is applicable.

1.2 “De-identified Data” means the Student Data from which all Personally Identifiable Information, including direct and indirect identifiers, has been permanently removed or obscured so the remaining information does not reasonably identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

1.3 “Personally Identifiable Information” means any information and metadata that, alone or in combination, is linked or linkable to a specific student so as to allow a reasonable person in the school community who does not have knowledge of the relevant circumstances, to identify the student with reasonable certainty. Personally identifiable information will include, but is not limited to, at least the following: first and last name, the name of the student’s parent or family member, telephone number, student identifiers, photos, videos, home address, email address, social security numbers, financial account numbers, biometric identifiers, as well as other indirect identifiers such as the student’s date of birth or gender.

1.4 “Privacy Laws” means all federal statutes that govern the privacy of student information, including: the Federal Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232(g); Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6502; Protection of Pupil Rights Amendment (“PPRA”), 20 U.S.C. 1232; and applicable State laws governing the protection of Personally Identifiable Information from students’ educational records.

1.5 “Student Data” means any data, whether gathered by Developer or provided by School or its users, students, or students’ parents/guardians, that is Personally Identifiable Information or descriptive of the student including, but not limited to, information that allows physical or online contact, grades, evaluations, disabilities, socioeconomic information, food purchases, voice recordings, or geolocation information. To the extent that U.S. law applies, Student Data may include “educational records” as defined in FERPA (20 U.S.C. § 1232(g)). Student Data will not include De-identified Data.

2. DATA OWNERSHIP AND AUTHORIZED ACCESS

2.1 Ownership and Control. Developer will access and process Student Data for the purposes of providing an outsourced institutional function pursuant to FERPA 34 CFR Part 99.31(a)(1). In providing the Developer Product, Developer will be considered a School Official with a legitimate educational interest in the Student Data, under the direction and control of School as it pertains to the use of Student Data. As between Developer and School, School owns all right, title, and interest to all Student Data processed by Developer pursuant to the Agreement, and Developer does not own, control, or license such Student Data, except so as to provide the Developer Product and as described in the Agreement.

2.2 Clever and Developer’s Access. Pursuant to a separate agreement between School and Clever, Inc. (“Clever”), School has authorized Clever to access and facilitate a reasonable method via the Clever Platform for Developer to access Student Data.

2.3 Consents and Authority. School represents and warrants that: (i) School has the authority to provide Student Data to Developer, and to allow Developer to access, collect, process, and otherwise use Student Data as set forth in the Agreement and for the purpose of providing the Developer Product, and (ii) School has provided appropriate disclosures to, and received appropriate consents from, School’s end users regarding School’s sharing of Student Data with Developer and/or Developer’s access, collection, processing, and other use of the Student Data as set forth in the Agreement, to the extent such disclosures or consents are required by applicable law or by School’s agreements.

2.4 Parent Access. School will establish reasonable procedures: (i) by which a parent, legal guardian or eligible student may review Personally Identifiable Information in the student’s educational records and/or correct erroneous information. Developer will respond in a timely manner to School’s request to access Personally Identifiable Information held by Developer to access or correct, as necessary. If a parent or guardian of a student or other individual contacts Developer to access or correct any of the Student Data held by Developer, then Developer will refer the parent or individual to School, who will follow the necessary and proper procedures regarding the requested information.

2.5 Third-Party Service Provider Access. School acknowledges and agrees that Developer may permit its employees, subcontractors, service providers and agents to access Student Data provided that they have a legitimate need to access such information in connection with their responsibilities in providing services to Developer. Developer will require all subcontractors, service providers, or agents involved in the handling, transmittal, and processing of Student Data to enter into written agreements to protect Student Data in a manner no less stringent than the terms of this Universal Data Sharing Agreement. Developer will maintain access log(s) that record all disclosures of or third-party access to Personally Identifiable Information contained in Student Data within its possession and will provide copies of such access log(s) to School upon request.

2.6 Third-Party Requests for Access. Should a third party, including law enforcement and government entities, contact Developer with a request to access data held by Developer as part of its provision of the Developer Product, Developer will redirect the third party to request the data directly from School, unless and to the extent that Developer reasonably believes it must grant such access to the third party because the data disclosure is necessary: (i) pursuant to a court order or legal process, (ii) to comply with statutes or regulations, (iii) to enforce the Developer Terms, Developer’s Terms of Service and the Agreement, or (iv) if Developer believes in good faith that such disclosure is necessary to protect the rights, property or safety of Developer’s users, employees or others. Developer will notify the School in advance of a compelled disclosure to a third party unless legally prohibited.

3. DUTIES OF DISTRICT

3.1 School Compliance with Privacy Laws. With regard to data that School permits Developer to collect or access pursuant to the Agreement, School agrees to uphold its responsibilities under laws governing the privacy of Student Data, including the Privacy Laws and to grant Developer access to such data only to the extent permitted by the Privacy Laws. School acknowledges and agrees that, to the extent applicable, School as an educational institution provides consent for Developer to collect Student Data directly from students under 13, as permitted by COPPA.

3.2 License Grant. School expressly grants, and represents and warrants that School has all rights necessary to grant, to Developer a non-exclusive, royalty-free, worldwide license during the term of the Agreement to use, transmit, distribute, modify, reproduce, display, and store the Student Data solely for the purposes of providing the Developer Product as contemplated by the Agreement, and as otherwise described herein. In order for Developer to provide the Developer Products to School, School acknowledges and agrees that Developer will utilize the categories of Student Data set forth on Developer’s product page on the Clever Platform.

3.3 Reasonable Security Precautions and Notice. School will take reasonable precautions to secure usernames, passwords and any other means of gaining access to the Developer Product and to data shared pursuant to the Agreement. School will notify Developer promptly of any known or suspected unauthorized access to School’s account and/or to Developer’s systems. School will assist Developer in any efforts by Developer to investigate and respond to any incident involving unauthorized access to the systems.

3.4 School Representative. At Developer request, School will designate an employee or agent of School as the School representative for the coordination and fulfillment of the duties of this Universal Data Sharing Agreement.

4. DUTIES OF DEVELOPER

4.1 Developer Compliance with Privacy Laws. With regard to Student Data that School permits Developer to collect or access pursuant to the Agreement, Developer agrees to uphold its responsibilities, and to support School in upholding School’s responsibilities, under the Privacy Laws.

4.2 Permitted Use of Student Data. Developer may use, transmit, distribute, modify, reproduce, display, and store the Student Data shared pursuant to the Agreement solely for the purposes of: (i) providing the Developer Product as contemplated by the Agreement, and as otherwise described herein, (ii) maintaining, supporting, evaluating, diagnosing, improving and developing the Developer’s website, Developer Product and applications, (iii) enforcing its rights under the Agreement, and (iv) as otherwise authorized under the applicable Privacy Laws. For clarity and without limitation, Developer may use Student Data for adaptive learning purposes or customized student learning and to provide recommendation engines to recommend content or services relating to school purposes or other educational or employment purposes, provided such recommendation is not determined in whole or in part by payment or other consideration from a third party.

4.3 Restrictions on Disclosure of Student Data. Developer will not sell, disclose, transfer, share or rent any data obtained under the Agreement in a manner that could identify an individual student to any entity other than the School except: (i) to the extent set forth in the Agreement, (ii) as directed by School, or (iii) as otherwise described in Section 3.

4.4 Restrictions on Use of Student Data for Advertising. Developer is prohibited from using Student Data to: (i) advertise or market to students or to direct targeted online advertising to students, (ii) advertise or market educational products and services to parents/guardians, unless with consent of the parent/guardian and/or School, (iii) develop a profile of a student, parent/guardian or group, other than for the purpose of providing educational services or as authorized by School or by a parent/guardian, or (iv) for any other commercial purpose unless authorized by School or permitted by applicable law. Notwithstanding the foregoing, nothing in this section shall be read to prohibit Developer from: (a) directing online advertising to a student or family/guardian based on the student’s current visit to that online location, provided that the student’s online activities are not collected over time for the purpose of delivering such advertisements, (b) marketing educational products and services directly to parents, guardians or School’s employees so long as the marketing does not result from the use of Student Data obtained by Developer from providing the Developer Product, (c) using Student Data to recommend educational products or services to parents/guardians and School’s employees so long as the recommendations are not based in whole or in part by payment or other consideration from a third party, (d) using Student Data with parent/guardian consent to direct advertising to students to identify higher education or scholarship providers that are seeking students who meet specific criteria, or (e) using aggregate information to inform, influence or enable marketing, advertising, or other commercial efforts by Developer.

4.5 Permitted Use of De-identified Data. Notwithstanding anything to the contrary herein, Developer may use and disclose De-identified Data for the purposes of the development and improvement of educational sites, services, applications, or to demonstrate the effectiveness of Developer’s products or services.

4.6 Student Data Deletion or Disposition. School may request in writing that Developer delete or retrieve Student Data in Developer’s possession at any time, which request Developer will then comply within a commercially reasonable period of time not to exceed 30 days. Developer will continue to maintain a copy of Student Data subject to a retrieval request unless and until Developer receives a deletion request. Upon termination of the Agreement, Developer will automatically delete or destroy all Student Data in its possession within 60 days of the end of the term of the Agreement, except to the extent School submits a data retrieval and transfer request and the Parties transfer and delete Student Data according to a schedule and procedures as the Parties may reasonably agree upon. Developer is not authorized to maintain Student Data beyond the time reasonably needed to complete the disposition. The duty to dispose of Student Data will not extend to De-identified Data or data that has been placed in a student’s personal account pursuant to the terms of the Agreement.

4.7 Transfer to a Personal Account. Notwithstanding anything to the contrary in the foregoing, nothing will impede Developer’s ability to allow students to download, export, transfer, or otherwise save or maintain their own student data, student-created content and documents, consistent with the functionality of the Developer Product.

4.8 Change of Control. In the event Developer sells, divests, or transfers all or a portion of its business assets to a third party, Developer may transfer Student Data to the new owner provided that (i) the new corporate owner intends to maintain and provide the Developer Product as a going concern and the new owner has agreed to data privacy standards no less stringent than those provided herein, or (ii) Developer will give notice to School and an opportunity to opt out of the transfer of Student Data.

5. DATA SECURITY AND DATA BREACH

5.1 Data Security. Developer will implement commercially reasonable administrative, physical and technical safeguards designed to secure Student Data from unauthorized access, disclosure, or use, which could include data encryption, firewalls, physical access controls to buildings and files, and, when the Developer Product is accessed using a supported web browser, Secure Socket Layer or equivalent technology will be employed. Developer will provide data privacy and security training to employees who have access to Student Data or who operate or have access to system controls, and will require employees to adhere to data confidentiality terms providing for the protection of Student Data in a manner consistent with the terms of this Universal Data Sharing Agreement. Access to Student Data and Developer’s systems will be limited to only those employees and trusted third parties that have a need-to-know basis based on specific job function or role.

5.2 Data Security Incident. If Developer has reason to believe that Student Data is disclosed to or acquired by an unauthorized individual(s) (a “Security Incident”), then Developer will fully investigate the incident and to take reasonable steps to remediate systems and controls and to mitigate any potential harm to individuals which may result from the Security Incident and cooperate with School’s investigation of the Security Incident.

5.2.1 Notification to School. Developer will promptly notify School after Developer determines that School’s Personally Identifiable Information was affected by the Security Incident, and, to the extent known, identify: (i) the nature of the Security Incident, (ii) the steps Developer has executed to investigate the Security Incident, (iii) the types of personal information which was subject to the unauthorized disclosure or acquisition, (iv) the cause of the Security Incident, if known, (v) the actions Developer has done or will do to remediate any deleterious effect of the Security Incident, and (vi) the corrective action Developer has taken or will take to prevent a future Security Incident.

5.2.2 Notification to Individuals. To the extent School determines that the Security Incident triggers third party notice requirements under applicable laws, as the owner of the Student Data, the School shall be responsible for the timing and content of the notices to be sent. Except as otherwise required by law, Developer will not provide notice of the Security Incident directly to individuals whose personal information was affected, to regulatory agencies, or to other entities, without first providing written notice to School. Developer will be responsible for, and will bear, all notification related costs arising out of or in connection with the Security Incident, subject to any limitations of liability terms contained in the Agreement. For clarity and without limitation, Developer will not be responsible for costs associated with voluntary notification which is not legally required. With respect to any Security Incident which is not due to acts or omissions of Developer or its agents, Developer will reasonably cooperate in performing the activities described above, as School requests, at School’s reasonable expense.

6. MISCELLANEOUS

6.1 Term. The Parties will be bound by the provisions of this Universal Data Sharing Agreement for the duration of the Agreement or so long as the Developer maintains Student Data.

6.2 Limitation of Liability. Unless otherwise agreed upon by the Parties in writing, the limitation of liability provision set forth in the Developer Terms or any other agreement between the Parties will govern this Universal Data Sharing Agreement.

6.3 Priority of Agreements. This Universal Data Sharing Agreement will govern the treatment of Student Data in order to comply with Privacy Laws. In the event there is conflict between the terms of this Universal Data Sharing Agreement and the Developer Terms or other document, bid, RFP, or writing, the terms of this Universal Data Sharing Agreement will govern and take precedence to the extent of the conflict. Except as described in this paragraph herein, all other provisions of the Agreement will remain in effect including provisions establishing governing law and venue in the Developer Terms or any other agreement between the Parties, which the Parties mutually agree will take precedence over the Developer Terms.

6.4 Severability. Any provision of this Universal Data Sharing Agreement that is prohibited or unenforceable in any jurisdiction will, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this Universal Data Sharing Agreement, and any such prohibition or unenforceability in any jurisdiction will not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the parties, it will, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this Universal Data Sharing Agreement or affecting the validity or enforceability of such provision in any other jurisdiction.