Introduction

Magnolia Montessori Academy recognizes the need to protect personally identifiable student information and other regulated data exchanged between them and software vendors as required by applicable laws and regulations, such as the Family Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. § 1232g (34 CFR Part 99); the Children’s Online Privacy Protection Act (“COPPA”) at 15 U.S.C. § 6501-6506 (16 CFR Part 312), and applicable state privacy laws and regulations.

This list of software and systems are used by students and may require some personally identifying information such as email or grade level to use. Only the minimum information needed is collected. Information shared does not violate student privacy if disclosed to a third party software vendor under contract with district. This directory information may include: student’s name, mailing address, telephone number, date and place of birth, student ID number, extracurricular activities, honors and awards, and dates of attendance or enrollment.

Information collected by software systems may be used for the following purposes:

  • Setting up an account to use for log in purposes
  • Providing performance feedback to the system so it can adjust the level and type of interactivity for the user
  • Improving system performance
  • Aggregating information for educator data analysis 

Data Privacy Requirements of Contracted Software Vendors

  1. Privacy Compliance. The Provider shall comply with all applicable federal, state, and local laws, rules, and regulations pertaining to Student Data privacy and security, all as may be amended from time to time.
  2. Provider Employee Obligation. Provider shall require all of Provider’s employees and agents who have access to Student Data to comply with all applicable provisions of the district’s Data Privacy Contract Addendum with respect to the Student Data shared under the Service Agreement. Provider agrees to require and maintain an appropriate confidentiality agreement from each employee or agent with access to Student Data pursuant to the Service Agreement.
  3. No Disclosure. Provider acknowledges and agrees that it shall not make any re-disclosure of any Student Data or any portion thereof, including without limitation, user content or other non- public information and/or personally identifiable information contained in the Student Data other than as directed or permitted by the district’s Data Privacy Contract Addendum. This prohibition against disclosure shall not apply to aggregate summaries of De-Identified information, Student Data disclosed pursuant to a lawfully issued subpoena or other legal process, or to Sub-processors performing services on behalf of the Provider pursuant to the district’s Data Privacy Contract Addendum. Provider will not Sell Student Data to any third party.
  4. De-Identified Data: Provider agrees not to attempt to re-identify De-Identified Student Data. De- Identified Data may be used by the Provider for those purposes allowed under FERPA and the following purposes: (1) assisting the district or other governmental agencies in conducting research and other studies; and (2) research and development of the Provider’s educational sites, services, or applications, and to demonstrate the effectiveness of the Services; and (3) for adaptive learning purpose and for customized student learning. Provider’s use of De-Identified Data shall survive termination of the district’s Data Privacy Contract Addendum or any request by the district to return or destroy Student Data. Except for Sub-processors, Provider agrees not to transfer de-identified Student Data to any party unless that party agrees in writing not to attempt re-identification, and (b) prior written notice has been given to the district who has provided prior written consent for such transfer. Prior to publishing any document that names the district explicitly or indirectly, the Provider shall obtain the district’s written approval of the manner in which De-Identified Data is presented.
  5. Disposition of Data. Upon written request from the district, Provider shall dispose of or provide a mechanism for the district to transfer Student Data obtained under the Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of the district’s Data Privacy Contract Addendum, if no written request from the district is received, Provider shall dispose of all Student Data after providing the district with reasonable prior notice. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account.
  6. Advertising Limitations. Provider is prohibited from using, disclosing, or selling Student Data to inform, influence, or enable Targeted Advertising; or (b) develop a profile of a student, family member/guardian or group, for any purpose other than providing the Service to district. This section does not prohibit Provider from using Student Data (i) for adaptive learning or customized student learning (including generating personalized learning recommendations); or (ii) to make product recommendations to teachers or district employees; or (iii) to notify account holders about new education product updates, features, or services or from otherwise using Student Data as permitted in the district’s Data Privacy Contract Addendum and its accompanying exhibits.
  7. Data Storage. Where required by applicable law, Student Data shall be stored within the United States. Upon request of the district, Provider will provide a list of the locations where Student Data is stored.
  8. Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the district with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the district to audit the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the district. The Provider will cooperate reasonably with the district and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to students and/or the district, and shall provide reasonable access to the Provider’s facilities, staff, agents and district’s Student Data and all records pertaining to the Provider, district, and delivery of Services to the district. Failure to reasonably cooperate shall be deemed a material breach of the district’s Data Privacy Contract Addendum.
  9. Data Security. The Provider agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. The Provider shall adhere to any applicable law relating to data security. The provider shall implement an adequate Cybersecurity Framework based on nationally recognized standards. Provider shall provide, in the Standard Schedule to the district’s Data Privacy Contract Addendum, contact information of an employee who the district may contact if there are any data security concerns or questions.
  10. Data Breach. In the event of an unauthorized release, disclosure or acquisition of Student Data that compromises the security, confidentiality or integrity of the Student Data maintained by the Provider the Provider shall provide notification to district within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident. The district shall then have (72) hours to provide this information to students and their families. Provider shall follow the following process:
    • The security breach notification described above shall include, at a minimum, the following information to the extent known by the Provider and as it becomes available:
  1. The name and contact information of the reporting manager.
  2. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
  3. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. 
  4. Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; and
  5. A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
  • Provider agrees to adhere to all federal and state requirements with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.
  • Provider further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide the district, upon request, with a summary of said written incident response plan.
  • In the event of a breach originating from the district’s use of the Service, Provider shall cooperate with district to the extent necessary to expeditiously secure Student Data.

Software List – Notice to Parental Guardians