(a) This Exhibit supplements the Master License and Service Agreement (“MLSA”) to which it is attached, to ensure that the MLSA conforms to the requirements of New York State Education Law Section 2-d and any implementing Regulations of the Commissioner of Education (collectively referred to as “Section 2-d”). This Exhibit consists of the terms of this Data Sharing and Confidentiality Agreement, a copy of Erie 1 BOCES’ Parents Bill of Rights for Data Security and Privacy signed by SAY IT Labs, Inc., and the Supplemental Information about the MLSA that is required to be posted on Erie 1 BOCES’ website.
(b) To the extent that any terms contained within the MLSA, or any terms contained within any other Exhibits attached to and made a part of the MLSA, conflict with the terms of this Exhibit, the terms of this Exhibit will apply and be given effect. In the event that SAY IT Labs, Inc. has online or written Terms of Service (“TOS”) that would otherwise be applicable to its customers or users of its Product that is the subject of the MLSA, to the extent that any term of the TOS conflicts with the terms of this Exhibit, the terms of this Exhibit will apply and be given effect.
Any capitalized term used within this Exhibit that is also found in the MLSA will have the same definition as contained within the MLSA.
In addition, as used in this Exhibit:
(a) “Student Data” means personally identifiable information, as defined in Section 2-d, from student records that Vendor receives from a Participating Educational Agency pursuant to the MLSA.
(b) “Teacher or Principal Data” means personally identifiable information relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of New York Education Law Sections 3012-c or 3012-d, that SAY IT Labs, Inc. receives from a Participating Educational Agency pursuant to the MLSA.
(c) “Protected Data” means Student Data and/or Teacher or Principal Data to the extent applicable to SAY IT Labs, Inc.’s Product.
(d) “Participating Educational Agency” means a school district within New York State that purchases certain shared instructional technology services and software through a Cooperative Educational Services Agreement with a BOCES, and as a result is licensed to use SAY IT Labs, Inc.s’ Product pursuant to the terms of the MLSA. For purposes of this Exhibit, the term also includes Erie 1 BOCES or another BOCES that is licensed to use SAY IT Labs, Inc.s’ Product pursuant to the MLSA to support
its own educational programs or operations.
(a) SAY IT Labs, Inc. acknowledges that the Protected Data it receives pursuant to the MLSA may originate from several Participating Educational Agencies located across New York State, and that this Protected Data belongs to and is owned by the Participating Educational Agency from which it originates.
(b) SAY IT Labs, Inc. will maintain the confidentiality of the Protected Data it receives in accordance with federal and state law (including but not limited to Section 2-d) and Erie 1 BOCES’s policy on data security and privacy. SAY IT Labs, Inc. acknowledges that Erie 1 BOCES is obligated under Section 2-d to adopt a policy on data security and privacy. Erie 1 BOCES will provide SAY IT Labs, Inc. with a copy of its policy. SAY IT Labs, Inc. and Erie 1 BOCES agree to engage in good faith negotiations to modify this Data Sharing Agreement to the extent necessary to ensure SAY IT Labs, Inc.’s’ continued compliance with Section 2-d.
SAY IT Labs, Inc. agrees that it will protect the confidentiality, privacy and security of the Protected Data received from Participating Educational Agencies in accordance with Erie 1 BOCES’ Parents Bill of Rights for Data Privacy and Security.
Additional elements of SAY IT Labs, Inc’s. Data Security and Privacy Plan are as follows:
(a) In order to implement all state, federal, and local data security and privacy requirements, including those contained within this Data Sharing and Confidentiality Agreement, consistent with Erie 1 BOCES’ data security and privacy policy, SAY IT Labs, Inc. will review its data security and privacy policy and practices to ensure that they are in conformance with all applicable federal, state, and local laws and the terms of this Agreement. In the event SAY IT Labs, Inc.’s policy and practices are not in conformance, SAY IT Labs, Inc. will implement commercially reasonable efforts to ensure such compliance.
(b) In order to protect the security, confidentiality and integrity of the Protected Data that it receives under the MLSA, SAY IT Labs, Inc. products are on equipment owned by the school or school district such as tablets. All data is encrypted during transit and encrypted at rest. Our servers and all user-specific data are hosted in a secure data center located in Virginia with a failover data center in Oregon. All of our administrative controls are behind firewalls and also require username/password access, which is limited to SAY IT Labs, Inc. operational staff.
(c) SAY IT Labs, Inc. will comply with all obligations set forth in Erie 1 BOCES’ Supplemental Information about the MLSA.
(d) For any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who have access to Protected Data, SAY IT Labs, Inc. has provided or will provide training on the federal and state laws governing confidentiality of such data prior to their receiving access, as follows: Annually, SAY IT Labs, Inc. will require that all of its employees who have access to Protected Data (or officers or employees of any of its subcontractors or assignees) undergo data security and privacy training to ensure that these individuals are aware of and familiar with all applicable data security and privacy laws.
(e) SAY IT Labs, Inc. subscriptions and services are SaaS-based and hosted on the school devices. SAY IT Labs, Inc. shall remain responsible and liable to Erie 1 BOCES, other applicable BOCES, and each Participating Education Agency for same. Other than the foregoing, SAY IT Labs, Inc. will not utilize sub-contractors for the purpose of fulfilling one or more of its obligations under the MLSA. In the event that SAY IT Labs, Inc. engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MLSA, it will require such subcontractors, assignees, or other authorized agents to execute written agreements as more fully described in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.
(f) SAY IT Labs, Inc. will manage data security and privacy incidents that implicate Protected Data by SAY IT Labs, Inc. or its assignees or subcontractors, including identifying breaches and unauthorized disclosures, and SAY IT Labs, Inc. will provide prompt notification of any breaches or unauthorized disclosures of Protected Data in accordance with Section 6 of this Data Sharing and Confidentiality Agreement..
(g) SAY IT Labs, Inc. will implement procedures for the return, transition, deletion and/or destruction of Protected Data upon termination or expiration of the MLSA.
SAY IT Labs, Inc. acknowledges that it has the following additional obligations with respect to any Protected Data received from Participating Educational Agencies, and that any failure to fulfill one or more of these statutory or regulatory obligations shall be a breach of the MLSA and the terms of this Data Sharing and Confidentiality Agreement:
(a) Limit internal access to education records to those individuals that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA).
(b) Limit internal access to Protected Data to only those employees or subcontractors that need access in order to assist SAY IT Labs, Inc. in fulfilling one or more of its obligations under the MLSA.
(c) Not use education records for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement.
(d) Not disclose any personally identifiable information to any other party, except for authorized representatives of SAY IT Labs, Inc. using the information to carry out SAY IT Labs, Inc.’s obligations under the MLSA, unless:
(i) the applicable Participating Education Agency has directed and/or authorized SAY IT Labs, Inc. to do so in writing; or
(ii) the parent or eligible student has provided prior written consent; or
(iii) the disclosure is required by statute or court order and notice of the disclosure is provided to Participating Educational Agency no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order.
(e) Maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personally identifiable student information in its custody;
(f) Use encryption technology that complies with Section 2-d, as more fully set forth in Erie 1 BOCES’ “Supplemental Information about the MLSA,” below.
(g) Provide notification to Erie 1 BOCES and Participating Educational Agencies, to the extent required by, and in accordance with, Section 6 of this Data Sharing and Confidentiality Agreement of any breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of state or federal law or other obligations relating to data privacy and security contained herein.
(h) Promptly reimburse Erie 1 BOCES, another BOCES, or a Participating Educational Agency for the full cost of notification, in the event they are required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor or its subcontractors or assignees.
(a) SAY IT Labs, Inc. shall promptly notify Erie 1 BOCES and Participating Educational Agencies in writing of any breach or unauthorized release of Protected Data in the most expedient way possible and without unreasonable delay, but no more than seven (7) calendar days after SAY IT Labs, Inc. has discovered or determined a the breach or unauthorized release has occurred..
(b) SAY IT Labs, Inc. will provide such notification to Erie 1 BOCES by contacting Michelle Okal-Frink directly by email or by calling.
(c) SAY IT Labs, Inc. will cooperate with Erie 1 BOCES and the impacted Participating Educational Agencies, and will also provide as much information as possible directly to Michelle Okal- Frink or her designee about the incident, including but not limited to: a description of the incident, the date of the incident, the date SAY IT Labs, Inc. discovered or was informed of the incident, a description of the types of personally identifiable information involved, an estimate of the number of records affected, the Participating Educational Agencies affected, what SAY IT Labs, Inc. has done or plans to do to investigate the incident, stop the breach and mitigate any further unauthorized access or release of Protected Data, and contact information for SAY IT Labs, Inc. representatives who can assist affected individuals that may have additional questions.
(d) SAY IT Labs, Inc. acknowledges that upon initial notification from SAY IT Labs, Inc., Erie 1 BOCES, as the educational agency with which SAY IT Labs, Inc. contracts, has an obligation under Section 2-d to in turn notify the Chief Privacy Officer in the New York State Education Department (“CPO”). SAY IT Labs, Inc. shall not provide this notification to the CPO directly. In the event the CPO contacts SAY IT Labs, Inc. directly or requests more information from SAY IT Labs, Inc. regarding the incident after having been initially informed of the incident by Erie 1 BOCES, SAY IT Labs, Inc. will promptly inform Michelle Okal-Frink or her designees.
(e) SAY IT Labs, Inc. will consult directly with Michelle Okal-Frink or her designees prior to providing any further notice of the incident (written or otherwise) directly to any other BOCES or Regional Information Center, or any affected Participating Educational Agency.
Erie 1 BOCES has entered into a Master License and Service Agreement (“MLSA”) with SAY IT Labs, Inc. which governs the availability to Participating Educational Agencies of the following Product(s):
The SAY IT SUITE: Video games for Speech, Early literacy including phonemic awareness, and math
Pursuant to the Master Agreement (which includes a Data Sharing and Confidentiality Agreement), the District may provide to Vendor, and Vendor will receive, personally identifiable information about students and/or teachers and principals that is protected by Section 2-d of the New York Education Law (“Protected Data”).
Exclusive Purposes for which Protected Data will be Used: The exclusive purpose for which Vendor is receiving Protected Data from the District is to provide the District with the functionality of the products or services listed above. Vendor will not use the Protected Data for any other purposes not explicitly authorized above or within the Master Agreement.
Oversight of Subcontractors: In the event that Vendor engages subcontractors or other authorized persons or entities to perform one or more of its obligations under the Master Agreement (including subcontracting hosting of the Protected Data to a hosting service provider), it will require those subcontractors or other authorized persons or entities to whom it will disclose the Protected Data to execute legally binding agreements acknowledging their obligation under Section 2-d of the New York Education Law to comply with all applicable data protection, privacy and security requirements required of Vendor under the Master Agreement and applicable state and federal law and regulations.
Duration of Agreement and Protected Data Upon Termination or Expiration:
Challenging Accuracy of Protected Data: Parents or eligible students can challenge the accuracy of any Protected Data provided by the District to SAY IT Labs, Inc., by contacting the District regarding procedures for requesting amendment of education records under the Family Educational Rights and Privacy Act (FERPA). Teachers or principals may request to challenge the accuracy of APPR data provided to SAY IT Labs, Inc. by following the appeal process in the District’s applicable APPR Plan.
Data Storage and Security Protections: Any Protected Data that SAY IT Labs, Inc. receives will be stored on systems maintained by SAY IT Labs, Inc., or by a subcontractor under the direct control of SAY IT Labs, Inc., in a secure data center facility located within the United States. The measures that SAY IT Labs, Inc. (and, if applicable, its subcontractors) will take to protect Protected Data include adoption of technologies, safeguards and practices that align with the NIST Cybersecurity Framework, and safeguards associated with industry standards and best practices including, but not limited to, disk encryption, file encryption, firewalls, and password protection.
Encryption of Protected Data: SAY IT Labs, Inc. (and, if applicable, its subcontractors) will protect Protected Data in its custody from unauthorized disclosure while in motion or at 10 rest, using a technology or methodology that complies with Section 2-d of the New York Education Law.
SAY IT Labs, Inc. is committed to protecting the privacy and security of student, teacher, and principal data. In accordance with New York Education Law § 2-d, SAY IT Labs wishes to inform the community of the following:
(1) A student’s personally identifiable information cannot be sold or released for any commercial purposes.
(2) Parents have the right to inspect and review the complete contents of their child’s education record.
(3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.
(4) A complete list of all student data elements collected by the State is available for public review at http://www.nysed.gov/data-privacy-security/student-data-inventory, or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, New York 12234.
(5) Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed in writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234. Complaints may also be submitted using the form available at the following website https://www.nysed.gov/data-privacy-security/parents-and-students-file-privacy-complaint.
SAY IT Labs is committed to maintaining the privacy and security of student data and teacher and principal data and will follow all applicable laws and regulations for the handling and storage of this data. SAY IT Labs, Inc. adopts this policy to implement the requirements of Education Law Section 2-d and its implementing regulations, as well as to align the SAY IT Labs Inc’s. data privacy and security practices with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.
In the course of complying with its obligations under the law and providing educational services, SAY IT Labs, Inc. has entered into agreements with Erie 1 BOCES. Pursuant to such agreements, third-party contractors may have access to “student data” and/or “teacher or principal data,” as those terms are defined by law.
Each contract the SAY IT Labs, Inc enters into with Erie 1 BOCES where SAY IT Labs receives student data or teacher or principal data will include the following information:
(1) the exclusive purposes for which the student data or teacher or principal data will be used;
(2) how SAY IT Labs, Inc. will ensure that the subcontractors, persons or entities that SAY IT Labs, Inc. will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
(3) when the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
(5) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
For questions or concerns regarding this Privacy Policy, please contact us at hello@sayitlabs.com.
