Please read carefully.
ARTICLE 1 – INTRODUCTION
1. Purpose and Scope.
2. Additional Data Policies.
ARTICLE 2 – CUSTOMER DATA OWNERSHIP; UNAUTHORIZED ACCESS
1. Customer Data.
2. Student Data.
In connection with Customer Agreements for products and/or services, Customers may provide SWT with data that is subject to federal statutes, including, the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. 1232g (34 CFR Part 99); the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6506; and, Protection of Pupil Rights Amendment (“PPRA), 20 U.S.C. 1232h. Such data shall be referred to as “Student Data,” which shall mean any data, whether gathered by SWT or provided by Customer or its users, students, or students’ parents/guardians, that is descriptive of the student including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information allowing online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings or geolocation information. Student Data includes PII (personally identifiable information) as defined in FERPA. Excluded from the term, Student Data, is “De-identified Data” as defined below in ARTICLE 3, Section 8.
SWT acknowledges and agrees that Customer Data is owned solely by Customer. SWT will not share, sell or disclose Customer Data to any third party without prior written consent of Customer. Customer has the right to request the prompt return of any portion of Customer Data and/or all data files at any time for any reason whatsoever, subject to payment for time and materials at reasonable rates by Customer to SWT.
4. Third Party Data Request.
SWT will promptly report to Customer about any requests from third parties for Customer Data. Customer will respond to such data requests. If SWT is subject to compelled disclosure to a third party (e.g., lawfully issued subpoena or court order), SWT will provide notification to Customer in advance of such compelled disclosure, provided that SWT is not prohibited from doing under terms in a subpoena or court order.
ARTICLE 3 – DATA PRACTICES
1. Legal Requirements.
SWT will comply with all applicable state and federal laws and regulations pertaining to data privacy and security, including FERPA, COPPA, PPRA, MGDPA and similar state laws as applicable to SWT. SWT agrees that any information it creates, collects, receives, stores, uses, or disseminates during the course of its performance under a Customer Agreement which concerns the personal, financial, or other affairs of Customer, its students, employees, officers, or Board shall be kept private and in conformance with all state and federal laws relating to data privacy as applicable to SWT, including without limitation, the MGDPA.
2. Collection of Customer Data.
SWT only collects, maintains, uses and shares Customer Data to the extent it is needed for “Educational/School Purposes” authorized by its Customers, or authorized by parents or students. Educational/School Purposes include services or functions that take place at the direction of an authorized representative of a Customer, typically, pursuant to a Customer Agreement, that would otherwise be performed by the Customer’s employees, and that aids in the administration or improvement of education and school activities.
3. Use of Customer Data.
SWT will ensure that any and all Customer Data shall be used expressly and solely for the purposes enumerated Customer Agreements. Customer Data shall not be distributed, repurposed, sold or shared across other applications or environments of SWT. Prior to any such distribution by SWT, it shall first obtain prior written permission from Customer.
4. Advertising Prohibition.
SWT shall not use or sell Customer Data to (a) market or advertise to students or families/guardians; (b) inform, influence, or enable marketing, advertising, or other commercial efforts by SWT; (c) develop a profile of a student, family member/guardian or group, for any commercial purpose other than providing products or services to Customer; or (d) use the Student Data for the development of commercial products or services, other than as necessary to provide services to Customer. This section does not prohibit SWT from using Student Data for adaptive learning or customized student learning purposes.
5. Student Profiles.
SWT will not use any Customer Data (in particular, Student Data) to create or maintain student profiles other than as strictly needed to provide products and/or services under Customer Agreements. SWT will not create or maintain student profiles for any non-educational purpose.
6. Employee Obligations.
7. Successor Entities.
8. De-identified Customer Data.
Customer understands and agrees that it hereby authorizes SWT to use Customer Data, including electronic Student Data, in a de-identified format as defined in FERPA, 34 C.F.R. §99.31(b)(1) (“De-identified Data”) for the following purposes and that SWT has no obligation to destroy or return such De-identified Data upon termination: (1) to test De-identified Data for performance and compatibility with new software releases and upgrades; (2) to test De-identified Data in a new release against the existing environment; (3) to test for conversion; (4) to provide software support services to Customer in connection with Customer Agreements; and (5) for presentations or demonstrations to current and potential Customers. SWT will not attempt to re-identify De-identified Data and will not transfer any such data to any party unless that party agrees in writing not to attempt re-identification.
9. Pupil Generated Content.
If “Pupil Generated Content” (which shall mean any materials or content created by a student for the purposes of education) is stored or maintained by SWT as part of the provided products/services, upon Customer’s request, SWT will transfer such content to a separate student account upon termination of the Customer Agreement, provided, however, such transfer shall only apply to pupil generated content that is severable from the product or services. Customer understands and agrees to pay SWT a fee for the account set-up and transfer, subject to pre-approval of the fee amount by Customer.
10. Retention of Customer Data.
SWT will only retain Customer Data for as long it is necessary for SWT to provide products and/or services to Customer under Customer Agreements or as otherwise authorized by Customer. SWT will dispose of Customer Data pursuant to Section 11 below when it is no longer needed for the purpose for which it was obtained.
11. Disposal of Customer Data.
Upon written request and in accordance with the applicable terms in subsection (a) or (b) below, SWT shall dispose or delete all Customer Data obtained under a Customer Agreement when it is no longer needed for the purpose for which it was obtained. Disposition shall include (1) the shredding of any hard copies of any Customer Data; (2) Erasing; or (3) Otherwise modifying the personal information in those records to make it unreadable or indecipherable by human or digital means. SWT will not maintain Customer Data obtained under a Customer Agreement beyond the time period reasonably needed to complete the disposition. SWT shall provide written notification to Customer when the Customer Data has been disposed. The duty to dispose of Customer Data shall not extend to De-identified Data as defined above in Section 8 or to Pupil Generated Data placed in a separate user account per Section 9 above. Upon receipt of a request from the Customer, the SWT will use best efforts to provide the Customer with any specified portion of the Customer Data within thirty (30) business days of receipt of said request. Customer understands and agrees to pay SWT a fee for the provisions of requested data, subject to pre-approval by Customer.
a. Partial Disposal During Term of Customer Agreement. Throughout the term of a Customer Agreement, Customer may request partial disposal of Customer Data obtained under the Customer Agreement that is no longer needed for products/services.
b. Complete Disposal Upon Termination of Customer Agreements. Upon termination of all Customer Agreements between the parties, SWT shall dispose or delete all Customer Data obtained under such agreements, but only upon receipt of affirmative written confirmation from Customer that such data will not be transferred to a separate account.
12. Customer Audit Request.
Upon receipt of a written request from Customer, and proposed Statement of Work, SWT will allow Customer to audit or review the security and privacy measures that are in place to ensure protection of Customer Data within a reasonable timeframe after the request, subject to the provisions in Minn. Stat. § 13.02, subd. 13 or Minn. Stat. § 13.37, subd. 1 (a).
13. Litigation Hold Request.
Upon receipt of a written litigation hold request from Customer, SWT will assist the Customer to preserve all documents and data identified by Customer within the scope of the litigation hold. Such efforts will include the suspension of deletion, overwriting or similar destruction of the documentation and data identified by Customer.
ARTICLE 4 – DATA SECURITY
1. Industry Standards.
- Center for Internet Security - see http://www.cisecurity.org
- Payment Card Industry/Data Security Standards (PCI/DSS) - see http://www.pcisecuritystandards.org/
- National Institute for Standards and Technology - see http://csrc.nist.gov
- Federal Information Security Management Act (FISMA) - see http://csrc.nist.gov e. ISO/IEC 27000-series - see http://www.iso27001security.com/
- Organization for the Advancement of Structured Information Standards (OASIS) - see http://www.oasis-open.org/ The Open Web Application Security Project’s (OWASP) “Top Ten Project” - see http://www.owasp.org; or
- The CWE/SANS Top 25 Programming Errors - see http://cwe.mitre.org/top25/ or http://www.sans.org/top25-programming-errors/
- “Clear” media sanitization according to the standards enumerated by the National Institute of Standards, Guidelines for Media Sanitization, SP800-88, Appendix A - see http://csrc.nist.gov/
- High Availability percentage calculation (i.e. percent uptime) - see http://en.wikipedia.org/wiki/High_availability
2. Customer Data Security.
SWT will preserve the confidentiality, integrity and accessibility of Customer Data with administrative, technical and physical measures that conform to the Industry Standards and best practices that SWT then applies to its own processing environment. Maintenance of a secure processing environment includes, but is not limited to, the timely application of patches, fixes and updates to operating systems and applications as provided by SWT or open source support.
3. Network Security.
SWT will maintain network security that includes: network firewall provisioning, intrusion detection, and regular third-party vulnerability assessments. SWT will maintain network security that conforms to Industry Standards and best practices that SWT applies to its own network.
4. Application Security.
SWT will provide, maintain and support software licensed to Customers and subsequent updates, upgrades, and bug fixes as made available for the software so that such software is and remains secure from those vulnerabilities as described in Industry Standards.
5. Customer Data Storage.
SWT will ensure that any and all Customer Data will be stored, processed, and maintained solely on designated target servers and that no Customer Data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the SWT designated backup and recovery processes and encrypted in accordance with the provisions set forth below in Section 7.
6. Customer Data Transfer or Remote Access by Customer.
SWT will ensure that any and all electronic transmission, exchange or transfer of system and application Customer Data with Customer and/or any other parties expressly authorized in writing by Customer, e.g., vendors, shall take place via secure means (using HTTPS or SFTP or equivalent) and in accordance with the provisions set forth above in ARTICLE 3, Section 4. SWT will provide Customer with a Data Transfer Agreement (or similar document) to sign before any such transfer occurs. In the event Customer requests remote access to Customer Data via ODBC (open database connectivity), SWT will provide Customer with a Remote Access Agreement (or similar document) for signature by Customer and a similar agreement for signature by each individual using such access before remote access is available.
7. Customer Data Encryption.
SWT will store all backup Customer Data as part of its designated backup and recovery processes in encrypted form, using a commercially supported encryption solution. Additionally, all Student Data, or “private data” under the MGDPA stored on any portable or laptop computing device or any portable storage medium will be likewise encrypted. Encryption solutions will be deployed with no less than a 256-bit key for symmetric encryption and a 2048 (or larger) bit key length for asymmetric encryption.
8. Security Breach Notification.
If SWT becomes aware of a privacy incident or a security incident (each of which is defined below in this Section 8) regarding any Customer Data, SWT will report the event to the Customer and the Customer's Chief Technology Officer (or employee with similar title and responsibility) within two (2) business days, or within a time frame specified under applicable state law, subject to any restrictions imposed by law enforcement authorities. In addition, Customer shall notify SWT of suspected security events, system or network compromises, or other events related to Customer’s system that could impact the confidentiality, integrity or availability of the SWT managed applications or systems; of any defects in software licensed to Customer, reproducing the suspected defects in the unaltered software; and, upon SWT's request and to the extent provided by law, providing additional data in machine‑readable or interpreted form deemed necessary or desirable by SWT to reproduce the environment in which the defect occurred and to install defect correction and maintenance releases. The decision to notify and the actual notifications to the Customer's data subjects affected by the security or privacy incident is the responsibility of the Customer. To the extent within the insurance coverage and limits of SWT's current insurance policy, subject to the provisions in Minn. Stat. §466.06, if applicable, SWT shall indemnify, hold harmless and defend the Customer and its officers, and employees for and against any claims, damages, costs and expenses related to any privacy or security incident involving any Customer Data except to the extent caused by the Customer or a third party. SWT and the Customer each have a duty to reasonably mitigate any harmful effects resulting from any privacy or security incident involving any Customer Data.
For purposes of this Section 8, "security incident" means the successful unauthorized access, use, disclosure, modification or destruction of data or interference with system operations in an information system. For purposes of this Section 8, "privacy incident" means violation of the MGDPA and/or federal privacy requirements in federal laws, rules and regulations. This includes, but is not limited to, improper or unauthorized use or disclosure of Not public data, improper or unauthorized access to or alteration of public data, and incidents in which the confidentiality of the Customer Data maintained by SWT has been breached. “Not public data” has the meaning set forth in the MGDPA, Minn. Stat. § 13.02, subdivision 8 (a).