BusRight is committed to your success as a customer, and that is why we do what we do. As such, we pledge the following to you:
Furthermore, we take the following additional precautions:
FURTHER TERMS
1. Definition and Use. BusRight defines “Data” to include all Personally Identifiable Information (PII) and other non-public information. Data include, but are not limited to, student data, metadata, and user content. BusRight will use Data only for the purpose of fulfilling its duties and providing services under this Agreement, and for improving services under this Agreement. BusRight may use de-identified Data for product development, research, or other purposes. De-identified Data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID. Furthermore, BusRight agrees not to attempt to re-identify de-identified Data and not to transfer de-identified Data to any party unless that party agrees not to attempt re- identification.
2. Privacy Compliance. BusRight complies with all applicable federal, state, and local laws, rules, and regulations pertaining to Student Data privacy and security, all as may be amended from time to time.
3. Authorized Use. The Student Data shared with BusRight, including persistent unique identifiers, shall be used for no purpose other than those stated herein, which are also enumerated in the Master Services Agreement (MSA) and/or otherwise authorized under the statutes referred to in customer DPAs.
4. Provider Employee Obligation. BusRight requires all of its employees and agents who have access to Student Data to comply with all applicable provisions of this DPA with respect to the Student Data shared under the MSA. BusRight shall require and maintain an appropriate confidentiality agreement from each employee or agent with access to Student Data pursuant to the Service Agreement.
5. No Disclosure. BusRight acknowledges and agrees that it shall not make any re-disclosure of any Student Data or any portion thereof, including without limitation, user content or other non-public information and/or personally identifiable information contained in the Student Data other than as directed or permitted by the Local Educational Agency (LEA) or this document, or required by law. This prohibition against disclosure shall not apply to aggregate summaries of De-Identified information, Student Data disclosed pursuant to a lawfully issued subpoena or other legal process, or to subprocessors performing services on behalf of BusRight pursuant to a DPA. BusRight will not Sell Student Data to any third party.
6. De-Identified Data: BusRight agrees not to attempt to re-identify de-identified Student Data. De-Identified Data may be used byBusRight for those purposes allowed under FERPA and the following purposes:
(1) assisting the LEA or other governmental agencies in conducting research and other studies; and
(2) research and development of the BusRight’s educational sites, services, or applications, and to
demonstrate the effectiveness of the Services; and (3) for adaptive learning purpose and for customized student learning. BusRight’s use of De-Identified Data shall survive termination of this DPA or any request by LEA to return or destroy Student Data. Except for Subprocessors, BusRight agrees not to transfer de- identified Student Data to any party unless (a) that party agrees in writing not to attempt re-identification, and (b) prior written notice has been given to the LEA who has provided prior written consent for such transfer. Prior to publishing any document that names the LEA explicitly or indirectly, BusRight shall obtain the LEA’s written approval of the manner in which de-identified data is presented.
7. Disposition of Data. Upon written request from the LEA, BusRight shall dispose of or provide a mechanism for the LEA to transfer Student Data obtained under the Master Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of the purchase agreement, if no written request from the LEA is received, BusRight shall dispose of all Student Data after providing the LEA with reasonable prior notice. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3.
8. Advertising Limitations. BusRight is prohibited from using, disclosing, or selling Student Data to (a) inform, influence, or enable Targeted Advertising; or (b) develop a profile of a student, family member/guardian or group, for any purpose other than providing the Service to LEA. This section does not prohibit BusRight from using Student Data (i) for adaptive learning or customized student learning (including generating personalized learning recommendations); or (ii) to make product recommendations to users or LEA employees; or (iii) to notify account holders about new education product updates, features, or services or from otherwise using Student Data as permitted in this document.
DATA PROVISIONS
1. Data Storage. Where required by applicable law, Student Data shall be stored within the United States. Upon request of the LEA, BusRight will provide a list of the locations where Student Data is stored.
2. Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, BusRight will allow the LEA to audit the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA . BusRight will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the BusRight and/or delivery of Services to students and/or LEA, and shall provide reasonable access to BusRight’s facilities, staff, agents and LEA’s Student Data and all records pertaining to BusRight, LEA and delivery of Services to the LEA.
3. Data Security. BusRight agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. BusRight shall adhere to all applicable laws relating to data security.
4. Data Breach. In the event of an unauthorized release, disclosure or acquisition of Student Data that compromises the security, confidentiality or integrity of the Student Data maintained by BusRight, BusRight shall provide notification to LEA within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident.