CR LiftEd™ FERPA Addendum
THESE ADDITIONAL TERMS PERTAIN TO EDUCATIONAL INSTITUTIONS SUBJECT TO THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT ("FERPA ADDENDUM") USING THE CR LIFTED SERVICES. YOUR EXECUTION OF A CUSTOMER ORDER FOR SERVICES CONSTITUTES YOUR AGREEMENT TO BE BOUND BY THESE ADDITIONAL TERMS. TERMS NOT DEFINED HEREIN SHALL HAVE THE MEANING SET FORTH IN THE TERMS OF SERVICE AND ADDITIONAL AGREEMENTS AS APPLICABLE. IN THE EVENT OF ANY CONFLICT BETWEEN THE TERMS OF SERVICE AND OTHER ADDITIONAL AGREEMENTS AND THIS FERPA SERVICE ADDENDUM, THE TERMS OF THIS FERPA ADDENDUM SHALL CONTROL.
- Control of Data
- Changes to Customer Data
CentralReach does not own any of the student data or district-created data within its products. The data within the products are property of, and under the control of the Customer. The collection, input, use, retention, disposal, and disclosure of any information in our software applications are controlled solely by the Customer who license our products. CentralReach does not delete, change, or disclose any information from our software applications controlled by the Customer unless CentralReach receives a written and signed statement of work requesting such action, or upon termination of the Service Agreement. Students who wish to retain possession and control of their own pupil-generated content should contact the Customer. If the Customer is unable to fulfil the request of the student, CentralReach can assist at the direction and expense of the Customer. Any requests sent directly to CentralReach will be disclosed to the Customer to respond to as the Customer determines is appropriate.In the event any third party (including the eligible student or parent/guardian of the eligible student) seeks to access education records, CentralReach will inform the Customer of such request in writing. CentralReach shall not provide access to such data or information or respond to such requests unless compelled to do so by court order or lawfully issued subpoena from any court of competent jurisdiction or directed in writing to do so by the Customer. Should CentralReach receive a court order or lawfully issued subpoena seeking the release of such data or information, CentralReach shall provide notification, along with a copy thereof, to the Customer prior to releasing the requested data or information, unless such notification is prohibited by law or judicial and/or administrative order or subpoena.
If the Customer is unable to fulfil a request of an eligible student or parent/guardian to review the student's records, CentralReach can assist at the direction and expense of the Customer. In such an event where a parent, legal guardian, or eligible student seeks to make changes to the data within our products parents, legal guardians, or eligible students shall follow the procedures established by the Customer in accordance with FERPA. Generally these procedures establish the right to request an amendment of the student's education records that the parent or eligible student believes is inaccurate, misleading, or otherwise in violation of the student's privacy rights under FERPA. Parents or eligible students who wish to ask the Customer to amend their child's or their education record should write a Customer official (often a Principal or Superintendent), clearly identify the part of the record they want changed, and specify why it should be changed. If the Customer decides not to amend the record as requested by the parent or eligible student, the Customer will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures would be provided to the parent or eligible student when notified of the right to a hearing. CentralReach will not make determinations of whether records should be edited or otherwise changed, and will defer any decision on such changes to Customer.
- Security at CentralReach
CentralReach shall enter into written agreements with all subprocessors performing functions for the CentralReach in order for the CentralReach to provide the Services pursuant to the Service Agreement, whereby the subprocessors agree to protect Customer Content in a manner no less stringent than the terms of the Service Agreement.
- Data Breach
- CentralReach agrees to report to Customer the unauthorized release, disclosure or acquisition of student data that compromises the security, confidentiality or integrity of the student data maintained by CentralReach. CentralReach shall provide notification to Customer without unreasonable delay, but in no event more than 30 calendar days of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident.
- CentralReach agrees to adhere to all federal and state requirements with respect to a data breach related to the student data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.
- CentralReach further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of student data or any portion thereof, including personally identifiable information and agrees to provide Cistp,er, upon request, with a summary of said written incident response plan.
- Customer shall provide notice and facts surrounding the breach to the affected students, parents or guardians.
- In the event of a breach originating from Customer’s actions and use of the Service, CentralReach will cooperate to the extent reasonably necessary to expeditiously secure Customer Content with any costs or expense to borne by the Customer.
CentralReach may, from time to time, update this FERPA Addendum to be in compliance with evolving laws and regulations.CentralReach and Customer agree that the Service Agreement is governed by the internal laws of the State wherein Customer is located (without regard to conflicts of law principles), and expressly agree that the state and federal courts sitting in that State shall have exclusive jurisdiction in any action arising out of or connected in any way to the Service Agreement or use of or access to the Services, and each party consents to personal jurisdiction of and venue in such matter.