Data Privacy Addendum

1. PURPOSE AND SCOPE

1.1 Purpose of Data Privacy Addendum

Purpose of Data Privacy Addendum. The purpose of this Data Privacy Addendum is to describe the duties and responsibilities to protect Student Data transmitted to Gradient Learning from the Partner School and its Users pursuant to the Agreement, including compliance with all applicable federal and state privacy statutes. This Data Privacy Addendum, together with the Summit Learning Platform Partner School Terms of Service (“Terms of Service”) and the Summit Learning Program Agreement (“Program Agreement”) is the entire agreement between the Partner School and Gradient Learning (“Agreement”). This Data Privacy Addendum defines the base level of security. We regularly evaluate our policies and practices to improve the security of our network and systems and to respond to evolving best practices. For more information on our current security practices see Gradient Learning Security Whitepaper ("Security Whitepaper").

1.2 Nature of Services Provided

Pursuant to and as fully described in the Program Agreement, Gradient Learning has agreed to provide the Summit Learning Program (the “Program”) and the Summit Learning Platform (“Platform”) and any other products and services that the Program may provide now or in the future (collectively, the “Services”).

1.3 Student Data to Be Provided

In order to use the Services, Partner School and its Users may provide the categories of Student Data described in the Schedule of Data, attached hereto as Exhibit A.

1.4 Data Privacy Addendum Definitions

Capitalized terms used herein and not otherwise defined in the Program Agreement or Terms of Service shall have the meanings set forth in Exhibit B hereto or as otherwise defined herein.

2. DATA OWNERSHIP AND AUTHORIZED ACCESS

2.1 Student Data Property of Partner School

All Student Data or any other Pupil Records transmitted to Gradient Learning pursuant to the Agreement is and will continue to be the property of, and under the control of, the Partner School, or the party who provided such Student Data or Pupil Records (such as the student or Caregiver). The Parties agree that as between them, all rights, including all intellectual property rights in and to Student Data or any other Pupil Records contemplated per the Agreement shall remain the exclusive property of the Partner School or the party who provided such Student Data or Pupil Records (such as the student or Caregiver). For the purposes of the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g (“FERPA”), to the extent Personally Identifiable Information from Education Records are transmitted to Gradient Learning from Partner School, Gradient Learning shall be considered a School Official with a legitimate educational interest, under the direct control of the Partner Schools as it pertains to the use of Education Records notwithstanding the above. Gradient Learning shall, at the School's request, provide for review of Student Data or Pupil Records within thirty (30) days following a written request

To the extent this Data Privacy Addendum is governed by the Children’s Online Privacy Protection Act, 15 U.S.C. 6501-6502 (“COPPA”), the Partner School consents to the collection of Student Data as provided in the Agreement and our Privacy Policy. Gradient Learning agrees to use Student Data solely for the use and benefit of the Partner School, and for no other commercial purpose.

2.2 Caregiver Access

As set forth in applicable law, Partner School shall establish reasonable procedures by which a Caregiver, or eligible Student User may review and request amendment of Pupil Records and/or Student Data and correct erroneous information, consistent with the functionality of Services. Gradient Learning shall respond within 30 days to the Partner School’s written request for a student’s Pupil Records held by Gradient Learning to view or correct as necessary. In the event that a Caregiver of a student or other individual contacts Gradient Learning to review any of the Pupil Records or Student Data accessed pursuant to the Services, Gradient Learning shall refer the parent or individual to the Partner School, who shall follow the necessary and proper procedures regarding the requested information.

2.3 Third Party Request

Should a Third Party that is not, a Service Provider, contact Gradient Learning with a request for Student Data held by Gradient Learning pursuant to the Services, Gradient Learning shall redirect the Third Party (including law enforcement and government entities) to request the Student Data directly from the Partner School. Gradient Learning shall notify the Partner School in advance of such compelled disclosure to a Third Party, unless legally prohibited.

2.4 No Unauthorized Use

Gradient Learning shall not use Personally Identifiable Information from Student Data, or in a Pupil Record, for any purpose other than as explicitly specified in the Agreement.

2.5 Service Providers.

Gradient Learning may use Service Providers in order to perform its duties under the Agreement. Gradient Learning shall enter into written agreements with all Service Providers and shall be responsible for any actions of Service Providers that would be a breach of this Data Privacy Addendum.

3. DUTIES OF PARTNER SCHOOL

3.1 Provide Data In Compliance With FERPA

Partner School shall provide Student Data for the purposes of the Agreement in compliance with any applicable state or federal laws and regulations (including FERPA) pertaining to data privacy and security applicable to Partner School. If Partner School provides Education Records to Gradient Learning, Partner School represents, warrants and covenants to Gradient Learning, as applicable, that Partner School has:

1. complied with all applicable provisions of FERPA relating to disclosures to school officials with a legitimate educational interest, including, without limitation, informing Caregivers in their annual notification of FERPA rights that the Partner School defines “school official” to include service providers and defines “legitimate educational interest” to include services such as the type provided by Gradient Learning; or
2. obtained all necessary written consent from a Caregiver or eligible Student User to share the Student Data with Gradient Learning, in each case, solely to enable Gradient Learning’s operation of the Services.

3.2 Reasonable Precautions

Partner School shall take reasonable precautions to secure usernames, passwords, and any other means of gaining access to the Services and Student Data in accordance with the Agreement and applicable law.

3.3 Unauthorized Access Notification

Partner School shall notify Gradient Learning immediately of any known or suspected unauthorized use or access of the Platform or Student Data. Partner School will assist Gradient Learning in any efforts by Gradient Learning to investigate and respond to any unauthorized use or access.

3.4 Partner School Representative

The Principal Contact Person designated in the Program Agreement shall serve as the representative of the Partner School for the coordination and fulfillment of the duties of this Data Privacy Addendum.

4. DUTIES OF SUMMIT LEARNING

4.1 Privacy Compliance

Gradient Learning shall comply with all state and federal laws and regulations related to privacy and security and applicable to Partner Schools and/or Gradient Learning in providing the Services to Partner School.

4.2 Authorized Use

Student Data shared pursuant to the Agreement, including persistent unique identifiers that are personally identifiable, shall be used for no purpose other than the Services and for the uses set forth in the Agreement and/or as otherwise legally permissible. The foregoing limitation does not apply to any De-Identified Data.

4.3 Staff Obligation

Gradient Learning shall require all employees, staff, agents, and Service Providers who have access to Student Data to comply with all applicable laws with respect to the Student Data shared under the Agreement. Gradient Learning agrees to require and maintain written confidentiality obligations from each of its employees, staff, agents, or Service Providers with access to Student Data pursuant to the Agreement.

4.4 No Disclosure

Gradient Learning shall not disclose any Student Data obtained under the Agreement in a manner that directly identifies an individual student to any other entity except as authorized by the Agreement, or as required by law. Gradient Learning will not Sell Student Data. Additionally, Gradient Learning will not disclose, trade, or transfer Student Data to any third parties, except with the prior written consent of the Partner School. The prohibition on disclosing, trading, or transferring Student Data does not apply to the access to or disclosure of Student Data (a) to Partner School, (b) to authorized Licensed Users, including Caregivers, (c) as authorized by a Caregiver, or eligible Student User, (d) as permitted by law or (e) to Service Providers, in connection with operating or improving the Services. The list of Gradient Learning’s current Service Providers used for the Services can be accessed through the Privacy Policy (which may be updated from time to time).

4.5 De-Identified Data

Gradient Learning may create De-Identified Data, and De-Identified Data may be used for any lawful purpose including, but not limited to, operating and improving the Services. Gradient Learning’s use of such De-Identified Data shall survive termination of this Data Privacy Addendum or any request by Partner School to return or destroy Student Data. Gradient Learning agrees not to attempt or have any third party attempt to re-identify De-Identified Data except for the sole purpose of validating Gradient Learning’s de-identification processes. Prior to publishing any document that names the Partner School explicitly or indirectly, the Provider shall obtain the Partner School’s written approval of the manner in which de-identified data is presented.

4.6 Disposition of Student Data

UponPartner School’s written request, Gradient Learning shall transfer, dispose of, or delete all Personally Identifiable Information contained in Student Data within sixty (60) days following the written request, or as required by law, and according to a schedule and procedure as Gradient Learning and the Partner School may reasonably agree. Upon termination of the Agreement, if no written request is received, Gradient Learning shall dispose of or delete all Personally Identifiable Information contained in Student Data, after providing the Partner School with reasonable prior notice, at the earliest of (a) when it is no longer needed for the purpose for which it was obtained or (b) as required by applicable law. Disposition shall include (1) the shredding of any hard copies of any Personally Identifiable Information contained in Student Data; (2) erasing any Personally Identifiable Information contained in Student Data; or (3) otherwise modifying the Personally Identifiable Information contained in Student Data to make it unreadable or indecipherable or de-identified. Gradient Learning shall provide written notification to the Partner School when the Personally Identifiable Information contained in the Student Data has been disposed. The duty to dispose of Student Data shall not extend to De-Identified Data.

4.7 Advertising Prohibition

Gradient Learning shall not use, disclose, or sell Personally Identifiable Information contained in Student Data to (a) inform, influence, or serve Behaviorally Targeted Advertising to students or families/guardians or any other user; or (b) develop a profile of a student or any other user for any commercial purpose other than providing the Services to Partner School or as set forth in the Agreement. Gradient Learning shall not use or disclose Personally Identifiable Information contained in Student Data for Third-Party Advertising. This section does not prohibit Gradient Learning from using Student Data (i) for adaptive learning or customized student learning (including generating personalized learning recommendations); or (ii) to make product recommendations to teachers or LEA employees; or (iii) to notify account holders about new education product updates, features, or services or from otherwise using Student Data as permitted in this DPA.

5. DATA PROVISIONS

Gradient Learning’s core security commitments are set forth below and we commit to maintaining this baseline. (For more information regarding Gradient Learning’s current security practices, see the Security Whitepaper.)

Data Storage

Where required by applicable law, Student Data shall be stored within the United States. Upon request of the LEA, Gradient Learning will provide a list of the locations where Student Data is stored.

5.2 Data Security

Gradient Learning agrees to store and process data by employing administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, and use or acquisition by an unauthorized person, including when transmitting and storing such information. Currently, Gradient Learning implements security practices identified in our Security Whitepaper. These measures shall include, but are not limited to:

1. Gradient Learning shall implement strong authentication methods including multi-factor authentication (MFA) with strong password complexity for all employees and contractors. These methods meet or exceed Article 4.3 of NIST 800-63-3.
2. Gradient Learning shall limit access to Student Data to employees, agents, staff, and Service Providers who need access in order for Gradient Learning to provide the Services. To the extent permissible by law, Gradient Learning shall conduct criminal background checks of employees prior to providing access to Student Data and prohibit access to Student Data by any person with criminal or other relevant unsatisfactory information that presents an unreasonable risk to Partner School or its Users.
3. Gradient Learning shall destroy or delete all Personally Identifiable Information contained in Student Data obtained under the Agreement as set forth in Section 4.6 hereof.
4. Gradient Learning shall employ a strong modern encryption technology designed to securely transmit (encryption in transit) and store all Student Data (encryption at rest). Gradient Learning shall maintain all Student Data obtained or generated pursuant to the Agreement in a secure computing environment and shall not copy, reproduce, or transmit data obtained pursuant to the Agreement, except as necessary to fulfill the purpose of data requests by Partner School or as otherwise set forth in the Agreement.
5. Gradient Learning shall create a secured data backup and recovery capability that is designed to help ensure an effective, timely and accurate restoration of all Student Data. The capability will be designed to minimize the amount of Student Data loss in the event of some form of catastrophic failure. For further protection, those backups will be encrypted and are stored in a different region.
6. Gradient Learning shall adopt and maintain a secure software development lifecycle (“Secure SDLC”) which will incorporate industry standard security practices such as penetration testing, code reviews and architecture analysis as essential functions of the development effort. Any identified security vulnerability will be remediated in a timely manner.
7. Gradient Learning shall provide periodic security training to those of its employees and staff who have access to Student Data.
8. Gradient Learning shall enter into written agreements whereby Service Providers agree to prevent unauthorized access and use of Student Data in a manner consistent with the terms of this Section 5.2. Gradient Learning shall periodically conduct or review such compliance of Service Providers.

In the event Partner Schools have questions regarding Data Privacy or Security, they may contact our team at privacy@summitlearning.org. Vulnerabilities can be responsibly disclosed by contacting security@summitlearning.org.

5.3 Incident Response and Security Governance

In addition to those security measures described in Section 5.2, Gradient Learning also implements an incident response and security governance program, which:

1. Maintains platform availability through event monitoring and response procedures for all site outages or any observable occurrences, automated site outage notifications, handling and reporting by On-Call personnel.
2. Implements incident response policies, plans and procedures focused on timely and effective incident response. These procedures shall be made available to Partner School upon request.
3. Restricts network and physical access to Summit Learning Platform infrastructure. We also leverage services to monitor for suspicious activity and employ professionals with training in security incident detection and response. More information about our infrastructure can be found in the Security Whitepaper.
4. Implements oversight and governance procedures for security risks and vulnerabilities, including a Vulnerability Disclosure Program and mandatory reviews of any incidents affecting the Summit Learning Platform.

5.4 Data Breach

In the event that Gradient Learning becomes aware of an unauthorized disclosure of or access to Student Data (a “Security Incident”), Gradient Learning shall provide notice to the Partner School without undue delay or as required by the applicable state law (each, a “Security Incident Notification”).

1. Unless otherwise required by the applicable law, the Security Incident Notification shall be written in plain language, shall be titled "Notice of Data Breach," and shall present the information described herein under the following headings: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." Additional information may be provided as a supplement to the notice.
2. The Security Incident Notification described above in Section 5.4(a) shall include such information required by the applicable state law and the following information:
1. The name and contact information of the reporting Partner School subject to this section.
2. A list of the types of Personally Identifiable Information that were or are reasonably believed to have been the subject of the Security Incident.
3. If the information is known at the time the Security Incident Notification is provided, then either (1) the date of the Security Incident, (2) the estimated date of the Security Incident, or (3) the date range within which the Security Incident occurred. The Security Incident Notification shall also include the date of the notice.
4. Whether, to the knowledge of Gradient Learning at the time notice is provided, the notification was delayed as a result of a law enforcement investigation or request.
5. A general description of the Security Incident, if that information is possible to determine at the time the notice is provided.
3. At Gradient Learning's discretion, the Security Incident Notification may also include any of the following:
1. Information about what Gradient Learning has done to protect individuals whose Personally Identifiable Information has been breached by the Security Incident.
2. Advice on steps that the person whose Personally Identifiable Information has been breached may take to protect himself or herself.
4. LEA shall provide notice and facts surrounding the Security Incident to the affected students or Caregivers. To the extent required by the applicable state law, Gradient Learning shall seek to notify the affected Caregiver or eligible Student User of the Security Incident, which shall include as applicable the information listed in subsections (b) and (c), above.

6. MISCELLANEOUS

6.1 Term

Except as otherwise stated herein, Gradient Learning shall be bound by this Data Privacy Addendum for the duration of the Program Agreement or a longer period as required by law.

6.2 Termination

In the event that either Party seeks to terminate this Data Privacy Addendum, they may do so by terminating the Program Agreement as set forth therein.

6.3 Effect of Termination Survival

If the Agreement is terminated, Gradient Learning shall dispose of all of Partner School's Personally Identifiable Information contained in Student Data pursuant to Section 4.6.

6.4 Priority of Agreements

This Data Privacy Addendum shall govern the treatment of Student Data. With respect to the treatment of Student Data, in the event there is conflict between the terms of this Data Privacy Addendum and the Program Agreement, the Terms of Service, or any other agreement between the Partner School and Gradient Learning, the terms of this Data Privacy Addendum shall apply and take precedence. Except as described in this paragraph, all other provisions of the Program Agreement and Terms of Service shall remain in effect.

6.5 Notice

All notices or other communication required or permitted to be given hereunder must be sent to Partner School or Gradient Learning, as applicable, as provided in the Program Agreement.

EXHIBIT A

SCHEDULE OF DATA

In order to use the Services, Partner School and its Users may provide the categories of Student Data described in this Schedule of Data.

EXHIBIT B

DEFINITIONS

"Agreement" means, collectively, this Data Privacy Addendum, the Summit Learning Platform Partner School Terms of Service and the Summit Learning Program Agreement.

"Behaviorally Targeted Advertising" means presenting an advertisement to a User where the selection of the advertisement is based on Student Data or Pupil Generated Content or inferred over time from the usage of Summit Learning’s website, online service or mobile application by such student or the retention of such student’s online activities or requests over time and across non-affiliate website for the purpose of targeting subsequent advertising.

“Caregiver” is the parent, legal guardian or caregiver of a Student User.

"De-Identified Data" information that has all direct and indirect personal identifiers removed such that the data cannot reasonably be used to identify or contact a student. This includes, but is not limited to, persistent unique identifiers, name, ID numbers, date of birth, and school ID.

"Directory Information" shall have the meaning given under FERPA cited as 20 U.S.C. § 1232g(a)(5)(A).

"Education Records" shall have the meaning given under FERPA cited as 20 U.S.C. § 1232g(a)(4).

"Indirect Identifiers" means any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty. When anonymous or non-personal information is directly or indirectly linked with personal information, this anonymous or non-personal information is also treated as personal information. Persistent identifiers that are not anonymized, de-identified or aggregated are personal information.

"Licensed User" means a teacher, employee, official, agent of a Partner School or the parent or legal guardian of a Student User.

"On-Call" means the Gradient Learning personnel tasked with monitoring system alerts and responding to incidents. Gradient Learning will use reasonable efforts to have an engineer on-call at any given moment.

"Personally Identifiable Information" or "PII" means data that can be used to identify or contact a particular individual, including direct and Indirect Identifiers, such as the individual’s name, email address or billing information, or other data which can be reasonably linked to that data or to that individual’s specific computer or device. PII includes, without limitation, at least the following: first and last name, home address, telephone number, email address, discipline records, test results, special education data, juvenile dependency records grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, and videos.

"Pupil Generated Content" means materials or content created by a pupil during and for the purpose of education including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of pupil content.

"Pupil Records" means both of the following: (1) any information that directly relates to a pupil that is maintained by Partner School and (2) any information acquired directly from the pupil through the use of instructional software or applications assigned to the pupil by a teacher or other employee of the Partner School.

"School Official" means, for the purposes of this Data Privacy Addendum and pursuant to 34 CFR § 99.31 (B), a contractor that: (1) performs an institutional service or function for which the agency or institution would otherwise use employees; (2) is under the direct control of the agency or institution with respect to the use and maintenance of Education Records; and (3) is subject to 34 CFR § 99.33(a) governing the use and re-disclosure of Personally Identifiable Information from Education Records.

"Sell" consistent with the Student Online Privacy Protection Act (SOPIPA) and the Student Privacy Pledge, does not include or apply to the purchase, merger or other type of acquisition of a company by another entity, provided that the company or successor entity continues to treat the personal information in a manner consistent with the Education Privacy Principles with respect to the previously acquired personal information.

"Service Provider" means, for the purposes of the Data Privacy Addendum, a party other than Partner School or Summit Learning or Users, who Summit Learning uses for data collection, analytics, storage, or other service to operate and/or improve the Platform, and who has access to PII, including Student Data.

"Student Data" means any data, whether gathered by Gradient Learning or provided by Partner School and its users, students, or students’ parents/guardians, that is directly related to a Partner School student including, but not limited to, information in the student’s Educational Record or email, first and last name, birthdate, home address or other physical address, telephone number, email address, or other information allowing physical or online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, individual purchasing behaviors or preferences, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings or geolocation information. Student Data shall include student login credentials, passwords, Student User authentication tokens or security devices used for student Platform or infrastructure access. Student Data shall also constitute Pupil Records for the purposes of this Data Privacy Addendum. Student Data as specified in Exhibit A is confirmed to be collected or processed by Gradient Learning pursuant to the Services. Student Data shall not constitute that information that has been anonymized, De-Identified Data, or anonymous usage data regarding a student’s use of the Services.

"Student User" means a student enrolled at the Partner School with an account on the Platform.

"Summit Learning Website" means the website for the Program presently located at www.summitlearning.org, which URL is subject to change from time to time.

“Terms of Service” means the Summit Learning Platform Partner School Terms of Service between Gradient Learning and the authorized representative of each Partner School and Gradient Learning, located on the Summit Learning website [available at, https://www.summitlearning.org/privacy-center].

"Third Party" means, for purposes of this Data Privacy Addendum, any person other than Gradient Learning, Partner School, a User, or a Service Provider.

"Third-Party Advertising" means direct advertising of third-parties and their products or services on our Services (e.g., such as when an advertiser would bid to place an advertisement directly on a platform). Gradient Learning does not allow third parties to advertise directly on its Services in user logged in areas of the Services, nor does Gradient Learning sell advertising space in logged in areas on the Platform. Gradient Learning also does not use third-party ad servers (such as Google AdWords or AdSense) in user logged in areas of the Platform.

"Users" means, collectively, Student Users and Licensed Users.