EXHIBIT B
DATA PRIVACY ADDENDUM
Modeled after Version 2.0 of the Student Data Privacy Consortium’s Model Contract
[PARTNER SCHOOL NAME]
and
GRADIENT LEARNING
This DATA PRIVACY ADDENDUM (this “Data Privacy Addendum”) is entered into by and between PARTNER SCHOOL (as defined in the related Program Agreement) and Gradient Learning (“Gradient Learning”), a California nonprofit public benefit corporation, having an address at 818 W. Seventh Street, Suite 930, Los Angeles, CA 90017, on the Effective Date (each of Gradient Learning and Partner School, a “Party” and together the “Parties”). The Parties agree to the terms as stated herein.
1. PURPOSE AND SCOPE
1.1 Purpose of Data Privacy Addendum.
The purpose of this Data Privacy Addendum is to describe the duties and responsibilities to protect Student Data transmitted to Gradient Learning from the Partner School and its Users pursuant to the Agreement, including compliance with all applicable federal and state privacy statutes. This Data Privacy Addendum, together with the Summit Learning Platform Partner School Terms of Service (“Terms of Service”) and the Summit Learning Program Agreement (“Program Agreement”) is the entire agreement between the Partner School and Gradient Learning (“Agreement”). This Data Privacy Addendum defines the base level of security. We regularly evaluate our policies and practices to improve the security of our network and systems and to respond to evolving best practices. For more information on our current security practices see Gradient Learning Security Whitepaper (“Security Whitepaper”).
1.2 Nature of Services Provided.
Pursuant to and as fully described in the Program Agreement, Gradient Learning has agreed to provide the Summit Learning Program (the “Program”) and the Summit Learning Platform (“Platform”) and any other products and services that the Program may provide now or in the future (collectively, the “Services”).
1.3 Student Data to Be Provided.
In order to use the Services, Partner School and its Users may provide the categories of Student Data described in the Schedule of Data, attached hereto as Exhibit A.
1.4 Data Privacy Addendum Definitions.
Capitalized terms used herein and not otherwise defined in the Program Agreement or Terms of Service shall have the meanings set forth in Exhibit B hereto or as otherwise defined herein.
2. DATA OWNERSHIP AND AUTHORIZED ACCESS
2.1 Student Data Property of Partner School.
All Student Data or any other Pupil Records transmitted to Gradient Learning pursuant to the Agreement is and will continue to be the property of, and under the control of, the Partner School, or the party who provided such Student Data or Pupil Records (such as the student or Caregiver). The Parties agree that as between them, all rights, including all intellectual property rights in and to Student Data or any other Pupil Records contemplated per the Agreement shall remain the exclusive property of the Partner School or the party who provided such Student Data or Pupil Records (such as the student or Caregiver). For the purposes of the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g (“FERPA”), to the extent Personally Identifiable Information from Education Records are transmitted to Gradient Learning from Partner School, Gradient Learning shall be considered a School Official with a legitimate educational interest, under the direct control of the Partner Schools as it pertains to the use of Education Records notwithstanding the above. Gradient Learning shall, at the School’s request, provide for review of Student Data or Pupil Records within thirty (30) days following a written request To the extent this Data Privacy Addendum is governed by the Children’s Online Privacy Protection Act, 15 U.S.C. 6501-6502 (“COPPA”), the Partner School consents to the collection of Student Data as provided in the Agreement and our Privacy Policy. Gradient Learning agrees to use Student Data solely for the use and benefit of the Partner School, and for no other commercial purpose.
2.2 Caregiver Access.
As set forth in applicable law, Partner School shall establish reasonable procedures by which a Caregiver, or eligible Student User may review and request amendment of Pupil Records and/or Student Data and correct erroneous information, consistent with the functionality of Services. Gradient Learning shall respond within 30 days to the Partner School’s written request for a student’s Pupil Records held by Gradient Learning to view or correct as necessary. In the event that a Caregiver of a student or other individual contacts Gradient Learning to review any of the Pupil Records or Student Data accessed pursuant to the Services, Gradient Learning shall refer the parent or individual to the Partner School, who shall follow the necessary and proper procedures regarding the requested information.
2.3 Third Party Request.
Should a Third Party that is not, a Service Provider, contact Gradient Learning with a request for Student Data held by Gradient Learning pursuant to the Services, Gradient Learning shall redirect the Third Party (including law enforcement and government entities) to request the Student Data directly from the Partner School. Gradient Learning shall notify the Partner School in advance of such-compelled disclosure to a Third Party, unless legally prohibited.
2.4 No Unauthorized Use.
Gradient Learning shall not use Personally Identifiable Information from Student Data, or in a Pupil Record, for any purpose other than as explicitly specified in the Agreement.
2.5 Service Providers.
Gradient Learning may use Service Providers in order to perform its duties under the Agreement. Gradient Learning shall enter into written agreements with all Service Providers and shall be responsible for any actions of Service Providers that would be a breach of this Data Privacy Addendum.
3. DUTIES OF PARTNER SCHOOL
3.1 Provide Data In Compliance With FERPA.
Partner School shall provide Student Data for the purposes of the Agreement in compliance with any applicable state or federal laws and regulations (including FERPA) pertaining to data privacy and security applicable to Partner School. If Partner School provides Education Records to Gradient Learning, Partner School represents, warrants and covenants to Gradient Learning, as applicable, that Partner School has:
-
complied with all applicable provisions of FERPA relating to disclosures to school officials with a legitimate educational interest, including, without limitation, informing Caregivers in their annual notification of FERPA rights that the Partner School defines “school official” to include service providers and defines “legitimate educational interest” to include services such as the type provided by Gradient Learning; or
-
obtained all necessary written consent from a Caregiver or eligible Student User to share the Student Data with Gradient Learning, in each case, solely to enable Gradient Learning’s operation of the Services.
3.2 Reasonable Precautions.
Partner School shall take reasonable precautions to secure usernames, passwords, and any other means of gaining access to the Services and Student Data in accordance with the Agreement and applicable law.
3.3 Unauthorized Access Notification.
Partner School shall notify Gradient Learning immediately of any known or suspected unauthorized use or access of the Platform or Student Data. Partner School will assist Gradient Learning in any efforts by Gradient Learning to investigate and respond to any unauthorized use or access.
3.4 Partner School Representative.
The Principal Contact Person designated in the Program Agreement shall serve as the representative of the Partner School for the coordination and fulfillment of the duties of this Data Privacy Addendum.
4. DUTIES OF GRADIENT LEARNING
4.1 Privacy Compliance.
Gradient Learning shall comply with all state and federal laws and regulations related to privacy and security and applicable to Partner Schools and/or Gradient Learning in providing the Services to Partner School.
4.2 Authorized Use.
Student Data and Licensed User data shared pursuant to the Agreement, including persistent unique identifiers that are personally identifiable, shall be used for no purpose other than the Services, for the uses set forth in the Agreement, for Partner School support and development across and among Gradient Learning platforms and services, and/or as otherwise legally permissible. The foregoing limitation does not apply to any De-Identified Data.
4.3 Staff Obligation.
Gradient Learning shall require all employees, staff, agents, and Service Providers who have access to Student Data to comply with all applicable laws with respect to the Student Data shared under the Agreement. Gradient Learning agrees to require and maintain written confidentiality obligations from each of its employees, staff, agents, or Service Providers with access to Student Data pursuant to the Agreement.
4.4 No Disclosure.
Gradient Learning shall not disclose any Student Data obtained under the Agreement in a manner that directly identifies an individual student to any other entity except as authorized by the Agreement, or as required by law. Gradient Learning will not Sell Student Data. Additionally, Gradient Learning will not disclose, trade, or transfer Student Data to any third parties, except with the prior written consent of the Partner School. The prohibition on disclosing, trading, or transferring Student Data does not apply to the access to or disclosure of Student Data (a) to Partner School, (b) to authorized Licensed Users, including Caregivers, (c) to and among affiliated Gradient Learning organizations for the purposes of providing and improving Partner School support, product analytics and development, and other internal usage as permitted by law, (d) as authorized by a Caregiver, or eligible Student User, (e) as permitted by law or (f) to Service Providers, in connection with operating or improving the Services. The list of Gradient Learning’s current Service Providers used for the Services can be accessed through the Privacy Policy (which may be updated from time to time).
4.5 De-Identified Data.
Gradient Learning may create De-Identified Data, and De-Identified Data may be used for any lawful purpose including, but not limited to, operating, improving, and developing Gradient Learning’s educational sites, services, or applications. Gradient Learning’s use of such De-Identified Data shall survive termination of this Data Privacy Addendum or any request by Partner School to return or destroy Student Data. Gradient Learning agrees not to attempt or have any third party attempt to re-identify De-Identified Data except for the sole purpose of validating Gradient Learning’s de-identification processes. Prior to publishing any document that names the Partner School explicitly or indirectly, the Provider shall obtain the Partner School’s written approval of the manner in which de-identified data is presented.
4.6 Disposition of Student Data.
Upon Partner School’s written request, Gradient Learning shall transfer, dispose of, or delete all Personally Identifiable Information contained in Student Data within sixty (60) days following the written request, or as required by law, and according to a schedule and procedure as Gradient Learning and the Partner School may reasonably agree. However, some information may remain on logs or encrypted backup storage copies until they are deleted. Further, Gradient Learning may retain information to comply with our legal obligations or to protect the safety and security of our Users or our Services, for example, in cases of past policy and content violations or due to a request from law enforcement. Such information will be disposed of or deleted when it is no longer needed for the purpose for which it was retained. Upon termination of the Agreement, if no written request is received, Gradient Learning shall dispose of or delete all Personally Identifiable Information contained in Student Data, after providing the Partner School with reasonable prior notice, at the earliest of (a) when it is no longer needed for the purpose for which it was obtained or (b) as required by applicable law. Disposition shall include (1) the shredding of any hard copies of any Personally Identifiable Information contained in Student Data; (2) erasing any Personally Identifiable Information contained in Student Data; or (3) otherwise modifying the Personally Identifiable Information contained in Student Data to make it unreadable or indecipherable or de-identified. Gradient Learning shall provide written notification to the Partner School when the Personally Identifiable Information contained in the Student Data has been disposed. The duty to dispose of Student Data shall not extend to De-Identified Data.
4.7 Advertising Prohibition.
Gradient Learning shall not use, disclose, or sell Personally Identifiable Information contained in Student Data to (a) inform, influence, or serve Behaviorally Targeted Advertising to students or families/guardians or any other user; or (b) develop a profile of a student or any other user for any commercial purpose other than providing the Services to Partner School or as set forth in the Agreement. Gradient Learning shall not use or disclose Personally Identifiable Information contained in Student Data for Third-Party Advertising. This section does not prohibit Gradient Learning from using Student Data (i) for adaptive learning or customized student learning (including generating personalized learning recommendations); or (ii) to make product recommendations to teachers or LEA employees; or (iii) to notify account holders about new education product updates, features, or services or from otherwise using Student Data as permitted in this DPA.
5. DATA PROVISIONS
Gradient Learning’s core security commitments are set forth below and we commit to maintaining this baseline. (For more information regarding Gradient Learning’s current security practices, see the Security Whitepaper.)
5.1 Data Storage.
Where required by applicable law, Student Data shall be stored within the United States. Upon request of the LEA, Gradient Learning will provide a list of the locations where Student Data is stored.
5.2 Data Security.
Gradient Learning agrees to store and process data by employing administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, and use or acquisition by an unauthorized person, including when transmitting and storing such information. Currently, Gradient Learning implements security practices identified in our Security Whitepaper. These measures shall include, but are not limited to:
- Gradient Learning shall implement strong authentication methods including multi-factor authentication (MFA) with strong password complexity for all employees and contractors. These methods meet or exceed Article 4.3 of NIST 800-63-3.
- Gradient Learning may grant employees, agents, staff, and Service Providers (collectively, “Agents”) access to Student Data solely as necessary for Gradient Learning to provide the Services. Gradient Learning shall, as required by law or at its discretion (as the law permits), conduct criminal background checks of Agents prior to providing access to Student Data. Gradient Learning shall prohibit access to Student Data by any person who presents an unreasonable risk to Partner Schools or its Users due to criminal or other relevant unsatisfactory information.
- Gradient Learning shall destroy or delete all Personally Identifiable Information contained in Student Data obtained under the Agreement as set forth in Section 4.6 hereof.
- Gradient Learning shall employ a strong modern encryption technology designed to securely transmit (encryption in transit) and store all Student Data (encryption at rest). Gradient Learning shall maintain all Student Data obtained or generated pursuant to the Agreement in a secure computing environment and shall not copy, reproduce, or transmit data obtained pursuant to the Agreement, except as necessary to fulfill the purpose of data requests by Partner School or as otherwise set forth in the Agreement.
- Gradient Learning shall create a secured data backup and recovery capability that is designed to help ensure an effective, timely and accurate restoration of all Student Data. The capability will be designed to minimize the amount of Student Data loss in the event of some form of catastrophic failure. For further protection, those backups will be encrypted and are stored in a different region.
- Gradient Learning shall adopt and maintain a secure software development lifecycle (“Secure SDLC”) which will incorporate industry standard security practices such as penetration testing, code reviews and architecture analysis as essential functions of the development effort. Any identified security vulnerability will be remediated in a timely manner.
- Gradient Learning shall provide periodic security training to those of its employees and staff who have access to Student Data.
- Gradient Learning shall enter into written agreements whereby Service Providers agree to prevent unauthorized access and use of Student Data in a manner consistent with the terms of this Section 5.2. Gradient Learning shall periodically conduct or review such compliance of Service Providers.
In the event Partner Schools have questions regarding Data Privacy or Security, they may contact our team at privacy@summitlearning.org. Vulnerabilities can be responsibly disclosed by contacting security@summitlearning.org.
5.3 Incident Response and Security Governance.
In addition to those security measures described in Section 5.2, Gradient Learning also implements an incident response and security governance program, which:
- Maintains platform availability through event monitoring and response procedures for all site outages or any observable occurrences, automated site outage notifications, handling and reporting by On-Call personnel.
- Implements incident response policies, plans and procedures focused on timely and effective incident response. These procedures shall be made available to Partner School upon request.
- Restricts network and physical access to Summit Learning Platform infrastructure. We also leverage services to monitor for suspicious activity and employ professionals with training in security incident detection and response. More information about our infrastructure can be found in the Security Whitepaper.
- Implements oversight and governance procedures for security risks and vulnerabilities, including a Vulnerability Disclosure Program and mandatory reviews of any incidents affecting the Summit Learning Platform.
5.4 Security Incident Notification.
In the event that Gradient Learning becomes aware of an unauthorized disclosure of or access to Student Data (a “Security Incident”), Gradient Learning shall provide notice to the Partner School without undue delay or as required by the applicable state law (each, a “Security Incident Notification”).
(a) Unless otherwise required by the applicable law, the Security Incident Notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
(b) The Security Incident Notification described above in Section 5.4(a) shall include such information required by the applicable state law and the following information:
(i) The name and contact information of the reporting Partner School subject to this section.
(ii) A list of the types of Personally Identifiable Information that were or are reasonably believed to have been the subject of the Security Incident.
(ii) If the information is known at the time the Security Incident Notification is provided, then either (1) the date of the Security Incident, (2) the estimated date of the Security Incident, or (3) the date range within which the Security Incident occurred. The Security Incident Notification shall also include the date of the notice.
(iv) Whether, to the knowledge of Gradient Learning at the time notice is provided, the notification was delayed as a result of a law enforcement investigation or request.
(v) A general description of the Security Incident, if that information is possible to determine at the time the notice is provided.
(c) At Gradient Learning’s discretion, the Security Incident Notification may also include any of the following:
(i) Information about what Gradient Learning has done to protect individuals whose Personally Identifiable Information has been breached by the Security Incident.
(ii) Advice on steps that the person whose Personally Identifiable Information has been breached may take to protect themselves.
(d) LEA shall provide notice and facts surrounding the Security Incident to the affected students or Caregivers. To the extent required by the applicable state law, Gradient Learning shall seek to notify the affected Caregiver or eligible Student User of the Security Incident, which shall include as applicable the information listed in subsections (b) and (c), above.
6 MISCELLANEOUS
6.1 Term.
Except as otherwise stated herein, Gradient Learning shall be bound by this Data Privacy Addendum for the duration of the Program Agreement or a longer period as required by law.
6.2 Termination.
In the event that either Party seeks to terminate this Data Privacy Addendum, they may do so by terminating the Program Agreement as set forth therein.
6.3 Effect of Termination.
If the Agreement is terminated, Gradient Learning shall dispose of all of Partner School’s Personally Identifiable Information contained in Student Data pursuant to Section 4.6.
6.4 Priority of Agreements.
This Data Privacy Addendum shall govern the treatment of Student Data. With respect to the treatment of Student Data, in the event there is conflict between the terms of this Data Privacy Addendum and the Program Agreement, the Terms of Service, or any other agreement between the Partner School and Gradient Learning, the terms of this Data Privacy Addendum shall apply and take precedence. Except as described in this paragraph, all other provisions of the Program Agreement and Terms of Service shall remain in effect.
6.5 Notice.
All notices or other communication required or permitted to be given hereunder must be sent to Partner School or Gradient Learning, as applicable, as provided in the Program Agreement.
EXHIBIT A
SCHEDULE OF DATA
In order to use the Services, Partner School and its Users may provide the categories of Student Data described in this Schedule of Data.
Caterogies of Data
✔ Indicates a Category is used by the service
| Application Technology Meta Data | |
|---|---|
| IP addresses of users, use of cookies etc. | ✔ |
| Other application technology meta data-Please specify: |
| Application Use Statistics | |
|---|---|
| Meta data on user interaction with application. | ✔ |
| Assessment | |
|---|---|
| Standardized test data (NWEA MAP, SBAC, AP, IB, etc) | ✔ |
| Observation data | ✔ |
| Other assessment data-Please specify: |
| Attendance | |
|---|---|
| Student school (daily) attendance data | ✔ |
| Student class attendance data | ✔ |
| Other attendance: Suspensions/expulsions |
| Communications | |
|---|---|
| Online communications that are captured (emails, blog entries) * Help/Support tickets from end-users with free form text, screenshots, Communications |
| Conduct | |
|---|---|
| Conduct or behavioral data |
| Demographics | |
|---|---|
| Date of birth | ✔ |
| Place of birth | |
| Gender | ✔ |
| Ethnicity or race | ✔ |
| Language information (native, preferred or primary language spoken by student) | ✔ |
| Other demographic information-Please specify: Socioeconomic status |
| Enrollment | |
|---|---|
| Student school enrollment | ✔ |
| Student grade level | ✔ |
| Homeroom | ✔ |
| Guidance counselor | ✔ |
| Specific curriculum programs | ✔ |
| Year of graduation | ✔ |
| Clever ID# | ✔ |
| SIS ID# | ✔ |
| Parent/Guardian/Caregive Contact Information | |
|---|---|
| Address | |
| ✔ | |
| Phone | ✔ |
| Parent/Guardian/Caregive ID | |
|---|---|
| Parent ID number (created to link parents, legal guardians, or caregivers to students) | ✔ |
| Parent/Guardian/Caregive Name | |
|---|---|
| First and/or last | ✔ |
| Schedule | |
|---|---|
| Student scheduled courses | ✔ |
| Teacher names | ✔ |
| Special Indicator | |
|---|---|
| English language learner information | ✔ |
| Low income status | ✔ |
| Medical alerts / health data | |
| Student disability information | ✔ |
| Specialized education services (IEP or 504) | ✔ |
| Living situations (homeless/foster care) | |
| Other indicator information-Please specify: |
| Student Contact Information | |
|---|---|
| Address | |
| ✔ | |
| Phone |
| Student Identifiers | |
|---|---|
| Local (School district) ID number | ✔ |
| State ID number | ✔ |
| Vendor/app assigned student ID number | ✔ |
| Student app username | |
| Student app passwords |
| Student Name | |
|---|---|
| First and/or last | ✔ |
| Student In App Performance | |
|---|---|
| Program/application performance (reading program-student reads below grade level) | ✔ |
| Student Program Membership | |
|---|---|
| Academic or extracurricular activities a student may belong to or participate in | ✔ |
| Student Survey Responses | |
|---|---|
| Anonymous student responses to surveys or questionnaires | ✔ |
| Student work | |
|---|---|
| Student generated content; writing, pictures etc. | ✔ |
| Other student work data -Please specify: |
| Student Outcome Information | |
|---|---|
| Student outcome information (grade level promotion and matriculation, AP and IB test information, college admission test scores, college eligibility and acceptance, and employment) | ✔ |
| Transcript | |
|---|---|
| Student course grades | ✔ |
| Student course data | ✔ |
| Student course grades/performance scores | ✔ |
| Other transcript data -Please specify: |
| Transportation | |
|---|---|
| Student bus assignment | |
| Student pick up and/or drop off location | |
| Student bus card ID number | |
| Other transportation data -Please specify: |
| Other | |
|---|---|
| Teacher feedback on coursework | ✔ |
| Teacher curricula and notes and feedback to or about students | ✔ |
| Teacher and parent/legal guardian/caregiver answers to surveys about the Services or curricula; and feedback, suggestions, questions, and ideas submitted to Gradient Learning from parents/legal guardians/caregivers, teachers or school administrators or officials | ✔ |
| Mentor observations | ✔ |
EXHIBIT B
DEFINITIONS
“Agreement” means, collectively, this Data Privacy Addendum, the Summit Learning Platform Partner School Terms of Service and the Summit Learning Program Agreement.
“Behaviorally Targeted Advertising” means presenting an advertisement to a User where the selection of the advertisement is based on Student Data or Pupil Generated Content or inferred over time from the usage of Summit Learning’s website, online service or mobile application by such student or the retention of such student’s online activities or requests over time and across non-affiliate website for the purpose of targeting subsequent advertising.
“Caregiver” is the parent, legal guardian or caregiver of a Student User.
“De-Identified Data” is information that has all direct and indirect personal identifiers removed such that the data cannot reasonably be used to identify or contact a student. This includes, but is not limited to, persistent unique identifiers, name, ID numbers, date of birth, and school ID.
“Directory Information” shall have the meaning given under FERPA cited as 20 U.S.C. § 1232g(a)(5)(A).
“Education Records” shall have the meaning given under FERPA cited as 20 U.S.C. § 1232g(a)(4).
“Indirect Identifiers” means any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty. When anonymous or non-personal information is directly or indirectly linked with personal information, this anonymous or non-personal information is also treated as personal information. Persistent identifiers that are not anonymized, de-identified or aggregated are personal information.
“Licensed User” means a teacher, school administrator, employee, contractor, official, agent of a Partner School or the parent or legal guardian of a Student User with an account on the platform.
“On-Call” means the Gradient Learning personnel tasked with monitoring system alerts and responding to incidents. Gradient Learning will use reasonable efforts to have an engineer on-call at any given moment.
“Personally Identifiable Information” or “PII” means data that can be used to identify or contact a particular individual, including direct and Indirect Identifiers, such as the individual’s name, email address or billing information, or other data which can be reasonably linked to that data or to that individual’s specific computer or device. PII includes, without limitation, at least the following: first and last name, home address, telephone number, email address, discipline records, test results, special education data, juvenile dependency records grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, and videos.
“Pupil Generated Content” means materials or content created by a Student User during and for the purpose of education including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of content.
“Pupil Records” means both of the following: (1) any information that directly relates to a Student User that is maintained by Partner School and (2) any information acquired directly from the Student User through the use of instructional software or applications assigned to the Student User by a teacher or other employee of the Partner School.
“School Official” means, for the purposes of this Data Privacy Addendum and pursuant to 34 CFR § 99.31 (B), a contractor that: (1) performs an institutional service or function for which the agency or institution would otherwise use employees; (2) is under the direct control of the agency or institution with respect to the use and maintenance of Education Records; and (3) is subject to 34 CFR § 99.33(a) governing the use and re-disclosure of Personally Identifiable Information from Education Records.
“Sell” consistent with the Student Online Privacy Protection Act (SOPIPA) and the Student Privacy Pledge, does not include or apply to the purchase, merger, or other type of acquisition of a company by another entity, provided that the company or successor entity continues to treat the personal information in a manner consistent with the Education Privacy Principles with respect to the previously acquired personal information.
“Service Provider” means, for the purposes of the Data Privacy Addendum, a party other than Partner School or Gradient Learning or Users, who Gradient Learning uses for data collection, analytics, storage, or other service to operate and/or improve the Platform, and who has access to PII, including Student Data.
“Student Data” means any data, whether gathered by Gradient Learning or provided by Partner School and its users, students, or students’ parents/guardians, that is directly related to a Partner School student including, but not limited to, information in the student’s Educational Record or email, first and last name, birthdate, home address or other physical address, telephone number, email address, or other information allowing physical or online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, individual purchasing behaviors or preferences, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings or geolocation information. Student Data shall include student login credentials, passwords, Student User authentication tokens or security devices used for student Platform or infrastructure access. Student Data shall also constitute Pupil Records for the purposes of this Data Privacy Addendum. Student Data as specified in Exhibit A is confirmed to be collected or processed by Gradient Learning pursuant to the Services. Student Data shall not constitute that information that has been anonymized, De-Identified Data, or anonymous usage data regarding a student’s use of the Services.
“Student User” means a student enrolled at the Partner School with an account on the Platform.
“Summit Learning Website” means the website for the Program presently located at www.summitlearning.org, which URL is subject to change from time to time.
“Terms of Service” means the Summit Learning Platform Partner School Terms of Service between Gradient Learning and the authorized representative of each Partner School and Gradient Learning, located on the Summit Learning website [available at, https://www.summitlearning.org/privacy-center].
“Third Party” means, for purposes of this Data Privacy Addendum, any person other than Gradient Learning, Partner School, a User, or a Service Provider.
“Third-Party Advertising” means direct advertising of third-parties and their products or services on our Services (e.g., such as when an advertiser would bid to place an advertisement directly on a platform). Gradient Learning does not allow third parties to advertise directly on its Services in user logged in areas of the Services, nor does Gradient Learning sell advertising space in logged in areas on the Platform. Gradient Learning also does not use third-party ad servers (such as Google AdWords or AdSense) in user logged in areas of the Platform.
“Users” means, collectively, Student Users and Licensed Users.
Appendix 1
Certain State-Specific Terms, to Exhibit B, Data Privacy Addendum
This document, Appendix 1, Certain State-Specific Terms (“Appendix”) is incorporated into Exhibit B, Data Privacy Addendum (“DPA”) and the Privacy Policy available at https://www.summitlearning.org/privacy-center/privacy-policy. The Summit Learning DPA and Privacy Policy, together with the Summit Learning Platform Partner School Terms of Service (“Terms of Service”) and the Summit Learning Program Agreement (“Program Agreement”) is the entire agreement between the Partner School and Gradient Learning (collectively, the “Agreement”). Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement.
California
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by California AB 1584, codified at California Education Code § 49073.1, and includes the following statements:
- As set forth in section 2.1 of the DPA, pupil records continue to be the property of and under the control of the Partner School;
- As set forth in section 4.2 of the DPA and section 3.2 of the Privacy Policy, any information in the pupil record shared with Gradient Learning pursuant to the Agreement, shall be used for no purpose other than those required or specifically permitted by the Agreement;
- A parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records that is collected by Gradient Learning, and correct erroneous information, as set forth in section 2.2 of the DPA and section 4 of the Privacy Policy;
- As set forth in section 5.2 of the DPA and section 6 of the Privacy Policy, Gradient Learning shall provide periodic security training designed to ensure the security and confidentiality of pupil records to those of its employees and staff who have access to pupil records;
- As set forth in section 5.4 of the DPA, Gradient Learning will notify the Partner School when there has been an unauthorized release, disclosure or acquisition of pupil records; and to the extent required by Cal. Civ. Code § 1792.82 et seq, Gradient Learning, in coordination with the Partner School as appropriate, shall seek to notify the affected parent, legal guardian or eligible pupil;
- As set forth in section 4.6 of the DPA and section 7 of the Privacy Policy, a pupil’s records shall not be retained or available to Gradient Learning upon completion of the terms of the Agreement;
- As set forth in section 2.1 and section 3.1 of the DPA, Gradient Learning and Partner School, shall ensure compliance with the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g); and
- As set forth in section 4.7 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not use personally identifiable information in pupil records to engage in targeted advertising.
Colorado
Gradient Learning complies with all applicable requirements of Colorado’s Student Data Transparency and Security Act, C.R.S. 22-16-101, et seq.
Connecticut
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Connecticut Act Concerning Student Data Privacy, Conn. Gen. Stat. Ann. § 10-234aa-dd, and includes the following statements:
- As set forth in section 2.1 of the DPA, Student Data, which includes student information, student records and student-generated content, are not the property of or under the control of Gradient Learning;
- Section 4.6 of the DPA sets forth the means by which the Partner School may request the deletion of any Student Data in the possession of the contractor that is not (A) otherwise prohibited from deletion or required to be retained under state or federal law, or (B) stored as a copy as part of a disaster recovery storage system and that is (i) inaccessible to the public, and (ii) unable to be used in the normal course of business by Gradient Learning;
- As set forth in section 4.2 of the DPA, Gradient Learning shall not use Student Data for any purposes other than those authorized pursuant to the Agreement. The Agreement sets forth the exclusive purposes for which the Student Data will be used by Gradient Learning;
- A student, parent or legal guardian of a student may review personally identifiable information contained in Student Data collected by Gradient Learning, and correct erroneous information, if any, in such student record as set forth in section 2.2 of the DPA and section 4 of the Privacy Policy;
- Gradient Learning’s core security commitments designed to ensure the security and confidentiality of Student Data are set forth in section 5.2 of the DPA and outlined in section 6 of the Privacy Policy;
- As set forth in section 5.4 of the DPA, Gradient Learning will notify the Partner School when there has been an unauthorized release, disclosure or acquisition of Student Data;
- As set forth in section 4.6 of the DPA and section 7 of the Privacy Policy, Student Data shall not be retained or available to Gradient Learning upon termination of the Agreement;
- As set forth in section 2.1 and section 3.1 of the DPA, Gradient Learning and the Partner School, shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, as amended from time to time;
- As set forth in section 10 of the Program Agreement, the laws of the state of Connecticut shall govern the rights and duties of Gradient Learning and the Partner School; and
- As set forth in section 11.4 of the Program Agreement, if any provision of the Agreement or the application of the Agreement is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the Agreement which can be given effect without the invalid provision or application.
Idaho
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Student Data Accessibility, Transparency and Accountability Act, codified at Idaho Code 33-133, and includes the following statements:
- Gradient Learning’s commitments to safeguard the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy;
- As set forth in section 4.2 of the DPA, and section 3.2 of the Privacy Policy, Student Data shall be used for no purpose other than the Services and for the uses set forth in the Agreement and/or as otherwise legally permissible;
- As set forth in section 4.5 of the DPA and section 3 of the Privacy Policy, Gradient Learning will use de-identified or aggregated data for secondary uses. Gradient Learning may use Student Data for secondary uses only after receiving written permission from the student’s parent or legal guardian;
- As set forth in section 4.7 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not process Student Data for any commercial purposes, including, but not limited to, sales, marketing or advertising;
- As set forth in section 4.2 of the DPA, and section 3.2 of the Privacy Policy, Gradient Learning may process or monitor Student Data to provide, improve, develop and maintain the integrity of the Services;
- Section 4.6 of the DPA sets forth the time period, not to exceed 60 days, and process by which Gradient Learning will either delete or transfer personally identifiable information upon the expiration of the contract or when requested to do so by notification from the Partner School; and
- Gradient Learning acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 8 of the Program Agreement, for any breach of the terms of this Agreement that cause actual harm to the Partner School.
Illinois
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Illinois Student Online Personal Protection Act (“SOPPA”), codified at 105 ILCS 85/5, and includes the following statements:
- A listing of the categories or type of information to be provided to Gradient Learning is available for public review in Exhibit A, Schedule of Data of the DPA;
- Pursuant to and as fully described in the Agreement, Gradient Learning has agreed to provide the Program and the Services to the Partner School;
- Pursuant to section 2.1 of the DPA, in performing its obligations under the Agreement, Gradient Learning is acting as a school official with a legitimate educational interest; is performing an institutional service or function for which the Partner School would otherwise use its own employees; is under the direct control of the Partner School with respect to the use and maintenance of Student Data; and is using Student Data only for an authorized purpose and in furtherance of such legitimate educational interest;
- If a “Security Incident”, as defined in section 5.4 of the DPA , is primarily attributable to Gradient Learning, Gradient Learning shall subject to section 8 of the Program Agreement, reimburse and indemnify Partner School for any and all costs and expenses that the Partner School incurs with: (a) providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; (b) audit costs, fines, and any other fees or damages imposed against the Partner School as a result of the security breach; and (c) providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws;
- The Partner School shall notify Gradient Learning when the Student Data it has provided pursuant to the DPA is no longer needed for the Partner School’s purpose(s) under the Agreement, including this DPA. If any of the Student Data is no longer needed for purposes of the Agreement, including this DPA, Gradient Learning will delete or transfer Student Data as set forth in section 4.6 of the DPA. Gradient Learning will comply with the Partner School’s request and delete or transfer the Student Data within a reasonable time period, not to exceed 30 days after verifying the written request, and according to a schedule and procedure as Gradient Learning and the Partner School may reasonably agree.
- Pursuant to SOPPA, Partner School shall publish on its website a copy of the DPA, including this Appendix.
Kansas
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Kansas Student Data Privacy Act, codified at K.S.A. 72-6314, and includes the following statements:
- The Agreement sets forth the exclusive purposes, scope and duration for which the Student Data will be used by Gradient Learning;
- As set forth in section 4.2 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not use Student Data for any purposes other than those authorized pursuant to the Agreement;
- Gradient Learning’s commitments to protect the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy; and
- As set forth in section 4.6 of the DPA and section 7 of the Privacy Policy, a pupil’s records shall not be retained or available to Gradient Learning upon completion of the terms of the Agreement.
Kentucky
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by Kentucky Revised Statutes 365.734, and includes the following statements:
- As set forth in section 4.2 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not process Student Data other than providing, improving, developing, or maintaining the integrity of the Services to the Partner School as authorized pursuant to the Agreement. The Agreement sets forth the exclusive purposes for which the Student Data will be used by Gradient Learning; and
- As set forth in section 4.7 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not process Student Data to advertise or facilitate advertising or to create or correct an individual or household for any advertisement purpose, and shall not sell, disclose or otherwise process Student Data for any commercial purpose.
Michigan
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by Michigan Rev. Code § 380.1136, and includes the following statements:
- Gradient Learning’s commitments to protect the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy; and
- Gradient Learning acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 8 of the Program Agreement, for any breach of the terms of this Agreement that cause actual harm to the Partner School.
Montana
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Montana Pupil Online Personal Information Protection Act, codified at Montana Code 20-7-1326, and includes the following statements:
- As set forth in section 2.1 of the DPA, pupil records continue to be the property of and under the control of the Partner School;
- As set forth in section 4.2 of the DPA and section 3.2 of the Privacy Policy, any information in the pupil record shared with Gradient Learning pursuant to the Agreement, shall be used for no purpose other than those required or specifically permitted by the Agreement;
- A parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records that is collected by Gradient Learning, and correct erroneous information, as set forth in section 2.2 of the DPA and section 4 of the Privacy Policy;
- As set forth in section 5.2 of the DPA and section 6 of the Privacy Policy, Gradient Learning shall provide periodic security training designed to ensure the security and confidentiality of pupil records to those of its employees and staff who have access to pupil records;
- As set forth in section 5.4 of the DPA, Gradient Learning will notify the Partner School when there has been an unauthorized release, disclosure or acquisition of pupil records; and to the extent required by law, Gradient Learning, in coordination with the Partner School as appropriate, shall seek to notify the affected parent, legal guardian or eligible pupil;
- As set forth in section 4.6 of the DPA and section 7 of the Privacy Policy, a pupil’s records shall not be retained or available to Gradient Learning upon completion of the terms of the Agreement;
- As set forth in section 2.1 and section 3.1 of the DPA, Gradient Learning and Partner School, shall ensure compliance with the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g); and
- As set forth in section 4.7 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not use personally identifiable information in pupil records to engage in targeted advertising.
Nevada
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by Nevada Revised Statute 388.272, and includes the following statements:
- Gradient Learning’s commitments to protect the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy; and
- Gradient Learning acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 8 of the Program Agreement, for any breach of the terms of this Agreement that cause actual harm to the Partner School.
New York
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by New York State Education Law § 2-d (“Section 2-d”), and Part 121 of the New York State Education Department (“NYSED”) regulations implementing Section 2-d.
New York’s Parents Bill of Rights for Data Privacy and Security is incorporated into the Agreement and Gradient Learning agrees and acknowledges that:
- A student’s personally identifiable information cannot be sold or released for any commercial purposes;
- Parents have the right to inspect and review the complete contents of their child’s education record that is shared with or collected by Gradient Learning, as set forth in section 2.2 of the DPA and section 4 of the Privacy Policy;
- Gradient Learning complies with all applicable state and federal laws that protect the confidentiality of personally identifiable information, and, as set forth in section 5.2 of the DPA and section 6 of the Privacy Policy, employs safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, when data is stored or transferred;
- A complete list of all student data elements collected by Gradient Learning is available for public review in Exhibit A, Schedule of Data of the DPA;
- Parents have the right to have complaints about possible breaches of student data addressed. Gradient Learning will promptly address any such complaints directed to privacy@summitlearning.org;
- The Agreement sets forth the exclusive purposes for which the student data or teacher or principal data will be used by Gradient Learning;
- As set forth in section 2.5 of the DPA and section 3.3 of the Privacy Policy, Gradient Learning may disclose the student data or teacher or principal data to subcontractors, or other authorized persons or entities (“Service Providers”) in order to perform its duties under the Agreement. Gradient Learning shall enter into written agreements with all Service Providers and shall be responsible for any actions of Service Providers that would be a breach of this document.
- Section 4.6 of the DPA sets forth the time period, not to exceed 60 days, and process by which Gradient Learning will either delete or transfer personally identifiable information upon the expiration of the contract or when requested to do so by notification from the Partner School;
- A parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected by Gradient Learning as set forth in section 2.2 of the DPA and section 4 of the Privacy Policy;
- Where required by applicable law, all student data or teacher or principal data will be stored within the United States and protected by employing administrative, physical, and technical safeguards designed to protect it from unauthorized access, disclosure, and use or acquisition by an unauthorized person, including when transmitting and storing such information;
- The data will be protected using encryption while in transit and at rest as further detailed in section 5.2 of the DPA; and
- For purposes of compliance with NYSED regulation Part 121.6 implementing Section 2-d, details of Gradient Learning’s data privacy and security plan can be found in our Security Whitepaper.
North Carolina
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by North Carolina General Statutes § 115C-402.5(b)(6), and includes the following statements:
- Gradient Learning’s commitments to safeguard the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy; and
- Gradient Learning acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 8 of the Program Agreement, for any breach of the terms of this Agreement that cause actual harm to the Partner School.
Oklahoma
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Oklahoma Student Data Accessibility, Transparency and Accountability Act, as codified by Oklahoma statute § 70-3-168, and includes the following statements:
- Gradient Learning’s commitments to safeguard the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy; and
- Gradient Learning acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 8 of the Program Agreement, for any breach of the terms of this Agreement that cause actual harm to the Partner School.
Rhode Island
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by Rhode Island HB 7124, as codified by General Laws § 16-104-1, and includes the following statements:
- As set forth in section 4.2 of the DPA, Gradient Learning shall process data of a student enrolled in kindergarten through twelfth (12th) grade (“Student Data”) for the sole purpose of providing the Services to the Partner School as authorized pursuant to the Agreement. The Agreement sets forth the exclusive purposes for which the Student Data will be used by Gradient Learning; and
- As set forth in section 4.7 of the DPA and section 3.2 of the Privacy Policy, Gradient Learning shall not process Student Data for any commercial purposes, including, but not limited to, advertising purposes that benefit Gradient Learning.
Utah
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the Utah Student Privacy and Data Protection Law, codified at Utah Code 53E-9-101, and includes the following statements:
- The requirements and restrictions related to the collection, use, storage, or sharing of student data by Gradient Learning are set forth in the DPA and the Privacy Policy;
- As set forth in section 2.5 of the DPA and section 3.3 of the Privacy Policy, Gradient Learning may disclose the Student Data to subcontractors, or other authorized persons or entities (“Service Providers”) in order to perform its duties under the Agreement;
- Section 4.6 of the DPA sets forth the time period, not to exceed 60 days, and process by which Gradient Learning will either delete or transfer personally identifiable information upon the expiration of the contract or when requested to do so by notification from the Partner School;
- As set forth in section 4.2 of the DPA and section 3.2 of the Privacy Policy, Student Data shall be used for no purpose other than the Services and for the uses set forth in the Agreement and/or as otherwise legally permissible; and
- As set forth in section 4.5 of the DPA and section 3 of the Privacy Policy, Gradient Learning will use de-identified or aggregated data for secondary uses. Gradient Learning may use Student Data for secondary uses only after receiving written permission from the student’s parent or legal guardian.
West Virginia
The Agreement, incorporating the DPA and this Appendix, constitutes the written agreement mandated by the West Virginia Student Data Accessibility, Transparency and Accountability Act, codified at West Virginia Code § 18-2-5h, and includes the following statements:
- Gradient Learning’s commitments to safeguard the privacy and security of Student Data are set forth in the DPA, including section 5.2, and are outlined in the Privacy Policy; and
- Gradient Learning acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 8 of the Program Agreement, for any breach of the terms of this Agreement that cause actual harm to the Partner School.