This Data Privacy Addendum (“Addendum”) between EZ School Apps (“EZ School Apps”, “we”, “us”, or “our”) and Vendor (“you” or “your”), amends the current version of the agreement or terms and conditions between you and us (the “Agreement”). If any terms of this Addendum conflict with any terms of the Agreement, the terms of this Addendum apply.
1. Scope. In connection with the services you provide, we may provide you access to Personal Information (as defined below). This Addendum governs how you may Process (as defined below) such Personal Information and your security requirements with respect to such Personal Information.
2. Definitions.
a. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”), and similar privacy laws in effect in other U.S. states. If your Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
b. “Data Subject” means an identified or identifiable natural person about whom Personal Information relates.
c. “Personal Information” includes “personal information,” “personal data,” and “personally identifiable information” and such terms will have the same meaning as defined by applicable Data Privacy Laws. For purposes of this Addendum, Personal Information is limited to the Personal Information to which we provide you access.
d. “Process” and “Processing” mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
e. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information of one or more Data Subjects.
f. “Subprocessor” means a party other than EZ School Apps or Vendor, who assists Vendor in providing the Services.
3. Scope and Purposes of Processing. You will Process Personal Information solely: (a) to fulfill your obligations to us under the Agreement, including this Addendum; (b) on our behalf and per any written instructions we provide you; and (c) in compliance with applicable Data Privacy Laws.
4. Personal Information Processing. You certify that you understand and will comply with your obligations in this Addendum, including those in this Section 4. You will:
a. Ensure that the persons you authorize to Process any Personal Information are bound to confidentiality obligations;
b. Upon our written request, provide us reasonable assistance fulfilling our obligation to respond to bona fide requests from Data Subjects to exercise their rights under Data Privacy Laws (e.g., access or deletion requests);
c. Promptly notify us of any bona fide requests for access to or information about your Processing of any Personal Information on your behalf, unless prohibited by Data Privacy Laws;
d. Provide us reasonable assistance in connection with fulfilling our obligations required by applicable Data Privacy Laws, at our expense;
e. Not “sell” or “share” for purposes of “cross-context behavioral advertising” (as defined by applicable Data Privacy Laws) any Personal Information;
f. Not retain, use, or disclose Personal Information outside of the direct business relationship between you and us;
g. Not attempt to (i) re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Information, or (ii) link or otherwise create a relationship between Personal Information and non-Personal Information or any other information, without our express written permission;
h. Comply with any applicable restrictions under applicable Data Privacy Laws on combining the Personal Information with personal information that you receive from, or on behalf of, another person or persons, or that you collect from any interaction between you and any individual; and
i. Promptly notify us if you determine that (i) you can no longer meet your obligations under this Addendum or applicable Data Privacy Laws; or (ii) in your opinion, an instruction from us infringes applicable Data Privacy Laws.
5. Data Security. You will implement appropriate administrative, technical, physical, and organizational measures to protect any Personal Information, as set forth in Exhibit A. We retain at all times the right to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Information, including any processing of Personal Information not expressly authorized in this Addendum.
6. Security Breach. You will notify us promptly (and in any event, within 72 hours) following your confirmation of any Security Breach. You will comply with the Security Breach-related obligations under any applicable Data Privacy Laws and will assist us in our compliance with your Security Breach-related obligations, including (a) taking reasonable steps to mitigate the adverse effects of the Security Breach, and (b) providing us information, to the extent known, about the nature of the Security Breach, the likely consequences of the Security Breach, and the measures you have taken to address the Security Breach.
7. Subprocessors. You may use affiliates and other Subprocessors to Process Personal Information in accordance with the provisions within this Agreement (including this Addendum) and Data Privacy Laws, provided that you are responsible for their compliance with the relevant obligations of this Agreement (including this Addendum). If you engage any Subprocessor to Process Personal Information, you will:
a. Select and retain Subprocessor that are capable of maintaining appropriate privacy and security measures;
b. Enter into a written contract requiring each Subprocessor to comply with obligations that are no less restrictive than those imposed on you under this Addendum; and
c. Maintain an up-to-date list of its subcprocessors, and provide the current list of subcprocessors on request. You will provide us with reasonable notice of any new subcprocessor added to the list prior to transferring or making available Personal Information to such new subcprocessor. In the event we object to a new subcprocessor, you will not transfer or make available Personal Information to the new subcprocessor and will use reasonable efforts to make available to us a change in the services or recommend a commercially reasonable change to our use of the services to avoid Processing of Personal Information by the objected-to subcprocessor without unreasonably burdening us. We may, in our sole discretion, terminate the Agreement at any time and by providing written notice to you in the event that we object to a subcprocessor and you are unable to change the services to satisfy us.
8. Audits. You will make available to us all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by us or another auditor mandated by us, provided that, except in the case of a Security Breach, for which there is no frequency limitation, such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent your personnel are required to cooperate therewith, only during your normal business hours.
9. Term; Survival; Return or Destruction of Personal Information. The effective date of this Addendum is the date of the Agreement. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as you, your affiliates, or your Subprocessors Process any Personal Information. You will return and/or securely destroy all Personal Information in your possession, except to the extent required otherwise by Data Privacy Laws (a) upon the expiration or termination of the Agreement, (b) when there is no longer any legitimate business need (as determined by us) to retain the Personal Information, or (c) upon our request. Upon our request, you will certify your compliance with this Section.
Exhibit A
Data Security Requirements
You will implement and maintain appropriate administrative, technical (including, without limitation, encryption), and physical safeguards, procedures and practices designed to: (a) ensure the security, confidentiality, and integrity of any Personal Information, and (b) protect against any anticipated threats or hazards to the security or integrity of any Personal Information, and (collectively, “Safeguards”), including, without limitation:
· technical and organizational measures to protect Personal Information against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, and access, and against all other unlawful activities
· network, application (including databases) and platform security
· business systems designed to optimize security and proper disposal of Personal Information
· secure transmission and storage of Personal Information, including encryption of sensitive Personal Information that is being transmitted over a network or stored on a portable device
· authentication and access control mechanisms
· personnel security and integrity, including background checks where consistent with applicable law
· training to personnel who have access to any Personal Information on how to comply with the Safeguards and obligations under applicable Data Privacy Laws