1. Introduction

Performance Learning Systems, Inc., and its affiliates (the “Company”) recognize the need to maintain safeguards when processing Student Data in connection with provision of the Company’s services and all digit assets contained or offered therein (collectively, our “Services”) for clients that include Educational Agencies. As part of its Services, Company collects a variety of information that may be protected by law, which is further defined below.

It is the goal of Company to work to protect information in accordance with applicable laws, including but not limited to laws such as the New York State Section 2-d Education Law (“Section 2-d”), and Company policies.

2. Scope

This Data Security and Privacy Plan (“Plan”) extends to all processing of information defined as Teacher or Principal Data under Section 2-d. Processing includes any operation or set of operations which is performed on Teacher or Principal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alternation, retrieval, consultation, use, disclosure by transmission, dissemination, otherwise making available, combination, restriction, erasure, or destruction. Company does not process Student Data as defined by Section 2-d.

Anonymized data or pseudonymized data that cannot be attributed to a natural person, e.g. for statistical evaluations or studies, is not subject to this Plan.

3. Definitions

1. “Agreement” means a direct contract between an Educational Agency and Company.
2. “Educational Agency” means a school district, board of cooperative educational services, school, or department of education for a state.
3. “Teacher or Principal Data” means personally identifiable information from the records of an Educational Agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release

4. Compliance

1. In order to implement all relevant state, federal, and applicable data security and privacy contract requirements over the life of an Agreement, consistent with the Educational Agency's data security and privacy policy, Company will:
   1. Follow internal policies and procedures compliant with (i) applicable state, federal, and local data security and privacy requirements, including Section 2-d, and (ii) the Educational Agency’s data security and privacy policy;
   2. Follow commercially reasonable administrative, technical, operational, and physical safeguards and practices to protect the security of Teacher or Principal Data in accordance with relevant law;
   3. Follow policies compliant with the Educational Agency’s Parents’ Bill of Rights, to be attached as exhibit(s) to the Agreement;
   4. Use the Teacher or Principal Data only for the purpose authorized in the Agreement;
   5. Annually train its officers and employees who have access to Teacher or Principal Data on relevant federal and state laws governing confidentiality of Teacher or Principal Data; and
   6. In the event any subcontractors are engaged in relation to the Agreement, manage relationships with sub-contractors to contract with sub-contractors to protect the security of Teacher or Principal Data in accordance with relevant law.

5. Safeguards

1. To protect Teacher or Principal Data that Company receives in relation to an Agreement, Company will follow policies that include the following administrative, operational, and technical safeguards:
   1. Company will identify reasonably foreseeable internal and external risks relevant to its administrative, technical, operational, and physical safeguards;
   2. Company will assess the sufficiency of safeguards in place to address the identified risks; Company will adjust its security program in light of business changes or new circumstances;
   3. Company will regularly test and monitor the effectiveness of key controls, systems, and procedures; and
   4. Company will protect against the unauthorized access to or use of Teacher or Principal Data.

6. Training

Officers or employees of Company who have access to Teacher or Principal Data receive or will receive training annually on the federal and state laws governing confidentiality of such data prior to receiving access

7. Subcontractors

In the event that Company engages any subcontractors or other authorized agents to perform its obligations under a Client agreement, it will implement policies to manage those relationships in accordance with applicable laws and will obligate its subcontractors to protect Teacher or Principal Data in all contracts with such subcontractors, including by obligating, as reasonably possible, the subcontractor to abide by all applicable data protection and security contract requirements, including but not limited to those outlined in applicable state and federal laws and regulations.

8. Data Security and Privacy Incidents

Company will manage data security and privacy incidents that implicate Teacher or Principal Data, including identifying breaches and unauthorized disclosures, by following an incident response policy for identifying and responding to incidents, breaches, and unauthorized disclosures. Company will notify Client of any breaches or unauthorized disclosures of Teacher or Principal Data promptly but in no event more than seven (7) days after Company has discovered or been informed of the breach or unauthorized release.

9. Effects of Termination or Expiration

Company will implement procedures for the return, transition, deletion and/or destruction of Student Data at such time that the Client agreement is terminated or expires.