This Data Sharing and Processing Agreement (this “Agreement”) is made effective as of the Order Effective Date (the “Effective Date”) of that certain Order Form (the “Order Form”) executed by and between Try Once, Inc. a Delaware corporation located at 440 N Barranca Ave, #5154, Covina, CA 91723 (“Once” or “We”) and the school and/or district specified in such Order Form (hereinafter, “School”). This Agreement supplements that certain Master Services Agreement entered into the parties on or around the Effective Date (the “MSA”).Once is providing certain Services (as defined in the MSA) to School in order to carry out a reading instructional service to improve reading outcomes for children (the “Project”).School has determined that it would be advantageous to the efforts identified above and to the benefit of all parties for Once to collect and process the data as set forth herein in order to accomplish the purposes of the Project.
1. Project Description.
1.1 Cooperation. School and Once will cooperate to notify students, parents and guardians of the availability of the Project.
1.2 Data. Once must collect, access and use the following data (“Data”) in connection with the Project:
-Student name and grade
-School and District name;
-Project attendance records;
-Project curriculum baseline and progress information;
-Video recordings of each instructional session.
With express permission Once may collect, access and use the following additional data (also Data when such permission has been granted) in order to enable enhanced reporting in connection with the Project:
-Homeroom teacher
-District ID
-Third party assessment information the school may collect;
-Student age, race, ethnicity, and home language(s);
-Student information about Individualized Education Plans (IEPs);
-Student information about Free and Reduced Lunch status;
Such Data may be provided by the School from Instructors (as defined in the MSA), teachers, or other staff members.
1.3 Permitted Uses. Once will use the Data for the performance of the Services, including for the purposes of conducting training and coaching for Instructors; monitoring students’ progress; and developing the Project curriculum. Once may associate or combine other data with the Data collected from the School for this purpose, such as aggregate population and demographic data, School name, age or grade range of students participating in the Project within the School and aggregate metrics associated with the School and/or similarly-situated schools. Such data may be provided by the School or compiled from publicly available sources. In addition we may share Data with our trusted third party service providers who perform services on our behalf (e.g. web hosting and analytics services), but strictly for the purpose of carrying out their work for us in furtherance of the Services. Such service providers are subject to confidentiality and data security requirements at least as protective as those set forth in this Agreement. We may also share information with third parties in an aggregated and/or anonymous form that does not reasonably identify an individual or School as provided for in the MSA. For clarity and without limitation, neither Once nor any of its partners will use Data for the purpose of targeted advertising or to amass a profile of an individual student for the purpose of targeting advertising.
2. Responsibilities.
2.1 School Duties and Authority. School represents and warrants that it has the authority to permit Once to access and use Data as described herein and in the MSA for the purpose of providing the Services.
2.2 Once Security. Once will, during the Term (as defined in the MSA), maintain and implement an information security program that requires reasonable and appropriate administrative, technical, physical, organizational and operational safeguards and other security measures (“Security Safeguards”) against unlawful or unauthorized access to or use, destruction, loss, alteration, disclosure, transfer, or processing of Data. The Security Safeguards will ensure a level of security appropriate to the risks and harm that might result from unauthorized access or use and will be consistent with industry best practices and standards. In the event Once becomes aware of any unauthorized access to or use of Data, Once will: (i) notify the School promptly but no later than is reasonably required to enable the School to comply with data breach notification requirements under applicable law, (ii) investigate such security breach, and (iii) reasonably cooperate with the School and any law enforcement or regulatory official.
2.3 Compliance with Laws. The parties agree to uphold their responsibilities under laws governing the privacy of Data, to the extent applicable to each party’s participation in the Project pursuant to this Agreement, which could include but is not limited to the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232(g), the Children’s Online Privacy and Protection Act (“COPPA”), the Protection of Pupil Rights Amendment (“PPRA”), the Student Online Personal Information Protection Act enacted by the California State Legislature (“SOPIPA”), and similar state or federal laws which govern the privacy of student personal information and education records (together, the “Data Privacy Laws”). Nothing in this Agreement may be construed to allow either party to maintain, use, disclose, or share student personal information and/or educational records in a manner not allowed under the Data Privacy Laws.
2.4 Compliance with COPPA. To the extent that the Services are made available to students under the age of 13, School authorizes Once to collect Data from such students for the purpose of participating in the Project in accordance with this Agreement. School, or a student’s parent or legal guardian, may withdraw consent at any time, upon written notice to Once, after which no further Data will be collected from the student by Once.
2.5 Once Representatives. Once will require its employees and subcontractors to use and protect Data in accordance with the requirements set forth in this Agreement.
3. Data Protection.
3.1 No Re-identification. Once agrees to make no attempt to re-identify Data from which identifying information has been removed. Once has implemented technical and procedural safeguards to prevent the re-identification of Data from which identifying information has been removed, and to contractually prohibit any Once Representative or other third party to whom it discloses Data from attempting to re-identify such Data. Once agrees that if the identity of any individual should be discovered inadvertently, then (a) no use will be made of this information, nor will it be shared with any third party, and (b) the identifying information will be safeguarded or destroyed.
3.2 Permitted Data Use. In addition to permitted uses described in Section 1.3, Once and Once Representatives are hereby permitted to use Resultant Data (as defined in the MSA) for the purposes set forth in the MSA.
4. Publication and Presentation of Findings, Data and Resultant Data.
4.1 Disclosure. Once may disclose Resultant Data to third parties in accordance with the MSA.
4.2 Anonymized Data. To the extent that that the Resultant Data is made publicly available, such as in peer-reviewed studies, white papers, or documentaries, or otherwise distributed throughout public media channels, such Resultant Data will be presented on an anonymized and aggregate basis at the school, grade-level, or by geographic area, and/or on the basis of demographic groups that consist of greater than ten students, such that no individual student could reasonably be identified from such published material, even if such information is combined with other data or information maintained by an institution participating in the Project or from other data sources.
4.3 Analytical Results. Analytical Results generated by School’s participation in the Project will be provided to School. Analytical results based on data from all participating schools may be made available to School upon request.
4.4 Marketing. Subject to the express written consent of School, Once may distribute and make available Recordings (as defined in the MSA) of the given student participating in the Program to the public as part of Once marketing programs. For the avoidance of doubt, without such express written consent from the School, Once will not distribute and make available such Recordings to the public.
5. Term and Termination.
5.1 Duration of the Agreement. This Agreement will be effective as of the Effective Date through the final date on which services are provided as part of the Project, which may be extended upon mutual agreement by the parties. The parties may terminate this Agreement at any time for reasonable cause, effective thirty (30) days from the date of the terminating party’s provision of written notice, provided that termination of this Agreement will also result in termination of the MSA.5.2
5.2 Termination. Upon termination, Once will cease the collection of Data through the Project on behalf of School. Sections 2-4 will continue to apply as long as Once maintains Data.
6. Destruction of Data. Within forty-five (45) days from end of Term, or at any time upon School’s written request, Once will de-identify or destroy the Data, provided that Once will not be required to destroy de-identified, aggregate or non-personally identifiable Data. During the period Once maintains any Data, the provisions of this Agreement will continue to apply. Nothing in this Agreement authorizes Once or any other partner to maintain personally identifiable Data related to School students beyond the time period reasonably required to complete the Project.