NJCAA AUDIT GUARANTEE - DATA PRIVACY ADDENDUM
DATA PRIVACY ADDENDUM (STUDENT DATA)
This Data Privacy Addendum (the “Addendum”) by and between [INSTITUTION] (the “Institution”) and Honest Game Corporation (the “Company”) (collectively, the “Parties”) is incorporated in, effective simultaneously with, and modifies the attached agreement between the Parties and all current and supplemental terms and conditions, order forms, policies, practices, procedures, and/or other documentation relating to the attached agreement (collectively, the “Agreement”). This Addendum supersedes the Agreement by adding to, deleting from, and modifying the Agreement. To the extent any provision in this Addendum results in any conflict or inconsistency between the Agreement and this Addendum, this Addendum shall govern and any term of the Agreement that conflicts with this Addendum or is inconsistent with this Addendum shall be of no force or effect.
1. DEFINITION OF INSTITUTION DATA
As used in this Addendum, “Institution Data” includes:
“Personally Identifiable Information” and “Education Records” of students as defined in regulations implementing the Family Educational Rights and Privacy Act (“FERPA”), 34 C.F.R. § 99.3;
All other non-public information, including student data, metadata, and user content, of the Institution’s students.
2. SERVICES AND DATA PROVIDED
2.1 Nature of Products or Services Provided. The Company has agreed to provide the following products and/or services to the Institution:
The Company will evaluate student academic and personal data, and will map out each student’s plan towards NJCAA Qualifier status.
2.2 Institution Data Provided. To allow the Company to provide the products and/or services described in Section 2.2, the Institution will provide the following categories or types of Institution Data to the Company:
Student-Athlete Demographics: Last Name, First Name, Student Institution ID #, Email, Phone Number, Address, Parent/Guardian/Emergency Contact Demographics (optional: Name, Address, Phone Number), Graduation Year, Unweighted GPA, Weighted GPA, Federal Race and Ethnicity Indicators (optional), Certified Learning Disabled Indicator (optional), Gender, Date of Birth, DHS Form I-20 Information for Foreign-born student-athletes.
Other Student-Athlete Information: High School Name, High School Graduation Year, High School Address, Date of Initial Full Time Collegiate Enrollment, # of Full Time Terms completed, Credits Earned in previous Full Time Terms, GPA for previous Full Time Term, Date(s) of full time enrollment at other colleges (if applicable), Names of other colleges attended (if applicable), Letter(s) of Intent, Dates of Military Service (if applicable), Employment History (if applicable).
Student-Athlete Transcript Information: Last Name, First Name, Institution Name, Institution Address, Student Institution ID #, Email, Graduation Year, Unweighted GPA, Weighted GPA, Course Codes, Course Names, Year and Term Courses Taken, Final Grades, Credit Attempted, Credit Earned.
Student Current Courses: Last Name, First Name, Institution Name, Institution Address, Student Institution ID #, Email, Graduation Year, Course Codes, Course Names, Year and Term Courses Scheduled, Credit Attempted.
Team and Activity Rosters: Student Last Name, Student First Name, Student Institution ID #, Student Email, Team Name, Activity name, Institution Name, Season of Participation, Participation Status.
Student App Username;
Student App Password (SSO available: Google);
Student Responses to Surveys or Questionnaires; Student Work: Student generated content, writing, pictures, athletic highlights, awards, records, accomplishments, links to social media, etc.; Student Program Membership: Academic or extracurricular activities a student may belong to or participate in.
2.3 Minimum Data Necessary Shared. The Company attests that the data requested by the Company from the Institution for the Institution to access the Company’s products and/or services represents the minimum necessary data for the products and/or services as described in the Agreement and this Addendum.
3. COMPLIANCE WITH LAW
3.1 The Company agrees that all sharing, use, and storage of Institution Data will be performed in accordance with all applicable Federal and State laws. The Company agrees that it will comply with all applicable laws and refrain from using Institution Data in any way prohibited by any law, whether or not such requirements are specifically set forth in this Addendum. Applicable laws may include, but are not limited to, FERPA; state-specific Data Privacy Laws; the Protection of Pupil Rights Amendment (“PPRA”), 20 U.S.C. 1232 h.
4. DATA OWNERSHIP AND USE
4.1 Data Ownership and Control. The Institution Data and any intellectual property rights thereto remain the property of and under the control of the Institution. The Company does not obtain any right, title, or interest in any of the Institution Data furnished by the Institution.
4.2 Institution Access to Data. Any Institution Data in the possession or under the control of the Company shall be made available to the Institution upon request by the Institution. The Company shall be responsible to provide copies of or access to Institution Data in the possession or under the control of the Company to the Institution within a reasonable time frame and in all cases within time frames that will allow timely compliance by the Institution with any statutorily or court ordered deadline. This includes requests regarding student records under state-specific Data Privacy Laws, requests for records in discovery in state or federal court or administrative proceedings, and any other request.
4.3 Company Use of Data. The Company may use and disclose the Institution Data only for the purposes described in the Agreement and only in a manner that does not violate local, state, or federal privacy laws and regulations. These include, but are not limited to, the following requirements, as applicable:
4.3.1 Institution Officials Requirements. The Company acknowledges that it is acting and designated as an “institution official” or “official of the institution” with a “legitimate educational interest” in the Institution Data as those terms are used in FERPA, state-specific Data Privacy Laws (a “Institution Official”). The Company agrees to abide by the limitations and requirements applicable to an Institution Official. The Company agrees it is performing an institutional service or function for which the Institution would otherwise use employees and is under the direct control of the Institution with respect to the use and maintenance of the Institution Data. The Company agrees that it will use the Institution Data only for authorized purposes and will comply with all limitations and requirements imposed on an Institution Official under FERPA and state-specific Data Privacy Laws, including the requirements that the Company: (1) collect and use Institution Data only for the purpose of fulfilling its duties under the Agreement and this Addendum and only for the benefit of the Institution and its end users; (2) will not share, disclose, or re-disclose the Institution Data to any third party or affiliate except as permitted by FERPA, state-specific Data Privacy Laws or provided for in this Addendum, otherwise authorized in writing by the Institution, or pursuant to a court order; (3) will not use Institution Data (including metadata) for advertising or marketing purposes unless such use is specifically authorized by this Addendum or otherwise authorized in writing by the Institution
4.3.2 PPRA Requirements. With respect to the Company’s collection, disclosure, or use of Institution Data as governed by the PPRA, the Company’s collection, disclosure, or use of any Institution Data shall be for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, the Institution’s students or educational institutions, or otherwise for the use and benefit of the Institution. The Company will not use the Institution Data for any purpose other than the Institution’s purpose.
4.4 Internal Company Disclosure. The Company attests that only individuals or classes of individuals who are essential to perform the work under the Agreement will have access to the Institution Data and that those individuals and classes of individuals will be familiar with and bound by this Addendum and relevant law. The Company shall cause each officer, director, employee, subcontractor, and other representative who will have access to any Institution Data during the term of the Agreement to comply with all legal requirements applicable to the Institution Data, including but not limited to those outlined in this Agreement and under relevant law.
5. COMPANY OBLIGATIONS REGARDING DATA
5.1 Safeguards. The Company agrees to take appropriate administrative, technical, and physical safeguards reasonably designed to protect the security, privacy, confidentiality, and integrity of Institution Data. The Company shall ensure that Institution Data are secured and encrypted to the greatest extent practicable during use, storage and/or transmission.
5.1.1 Security Procedures and Practices. The Company agrees that at it will implement and maintain security procedures and practices that, at a minimum, are designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure that based on the sensitivity of the data and the risk from unauthorized access: (i) use technologies and methodologies that are consistent with the U.S. Department of Commerce’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. and any updates to it; or (ii) maintain technical safeguards as they relate to the possession of covered information in a manner consistent with the provisions of 45 C.F.R. 164.312.
5.1.2 Storage of Data. The Company agrees to store and process Institution Data in a manner that is no less protective than the methods used to secure the Company’s own data. Institution Data will be stored on equipment or systems located within the United States. The Company will retain Institution Data for a period of three (3) years. If the Institution requires data to be stored beyond this period, the parties may agree to extended retention on a case-by-case basis.
5.1.3 Audit of Safeguards. The Company shall maintain complete and accurate records of its security measures for Institution Data and produce such records to the Institution for purposes of audit upon reasonable prior notice during normal business hours. The Institution reserves the right at its sole discretion to audit the Company’s storage of Institution Data at the Institution’s expense to ensure compliance with the terms of the Agreement and this Addendum.
5.1.4 Reasonable Methods. The Company agrees to use “reasonable methods” to ensure to the greatest extent practicable that the Company and all parties accessing Institution Data are compliant with state and federal law. The Institution reserves the right to audit such measures upon reasonable prior notice during business hours.
5.2 Privacy Policy. The Company must publicly disclose material information about its collection, use, and disclosure of covered information, including, but not limited to, publishing a terms of service agreement, privacy policy, or similar document. Any changes the Company may implement with respect to its privacy policies or terms of use documents shall be ineffective and inapplicable with respect to the Institution and/or Institution Data unless the Institution affirmatively consents in writing to be bound by such changes. Access by students or parents/guardians to the Company’s programs or services governed by the Agreement and this Addendum or to any Institution Data stored by the Company shall not be conditioned upon agreement by the parents/guardians to waive any of the student data confidentiality restrictions or a lessening of any of the confidentiality or privacy requirements contained in this Addendum.
5.3 Data Return/Destruction. Upon expiration of the term of the Agreement, upon the earlier termination of the Agreement for any reason, at a time when some or all of the Institution Data is no longer needed for purposes of the Agreement, or upon the Institution’s request, the Company covenants and agrees that it promptly shall return to the Institution all Institution Data in the Company’s possession and control. If return of the data is not feasible or if the Institution agrees, then the Company shall destroy the data. The Company agrees to send a written certificate that the data was properly destroyed or returned. Such certificate shall be delivered within 30 days of the date of the event triggering return/destruction (e.g., within 30 days of the termination of the Agreement, within 30 days of the Institution’s request or notification to the Company that the data is no longer needed for the purposes of the Agreement). The Company shall destroy Institution Data in a secure manner and in such a manner that it is permanently irretrievable in the normal course of business. The only exception to the requirements of this Section 5.3 is if the Company has express written consent from a student’s parent or legal guardian consenting to the maintenance of the covered information. In such case, the Company agrees to send with or in lieu of the written certificate required by this Section 5.3 written evidence of parental/guardian consent for any data maintained.
5.4 Authorizations. The Company agrees to secure individual Institution or parent/guardian written authorizations to maintain or use the Institution Data in any manner beyond the scope of or after the termination of the Agreement.
5.5 Data Breach. For purposes of this section, “data breach” means the unauthorized disclosure of data, unauthorized provision of physical or electronic means of gaining access to data that compromises the security, confidentiality, or integrity of Institution Student Data, or other unauthorized access, alteration, use or release of Institution Data, as well as any other circumstances that could have resulted in such unauthorized disclosure, access, alteration, or use.
5.5.1 In the event of a data breach, the Company agrees to the following: (1) notify the Institution by telephone and email within the most expedient time possible and without unreasonable delay, but no later than 24 hours after the determination that a breach has occurred; (2) at the time notification of the breach is made, provide the Institution with the name and contact information for an employee of the Company who shall serve as the Company’s primary security contact; (3) assist the Institution with any investigation, including interviews with Company employees and review of all relevant records; (4) provide the Institution within the most expedient time possible and without unreasonable delay, and in no case later than fifteen (15) days after notification to the Institution that a data breach occurred, the number of students whose covered information is involved in the breach; the date, estimated date, or estimated date range of the breach; a description of the covered information that was compromised or reasonably believed to have been compromised in the breach; and contact information for the person who parents/guardians may contact at the Company regarding the breach; and (4) assist the Institution with any notification the Institution deems necessary related to the security breach. The Company agrees to comply with the terms of this Section 5.5.1 regardless of whether the misuse or unauthorized release of Institution Data is the result of or constitutes a material breach of the Agreement or this Addendum.
5.5.2 The Company shall not, unless required by law, provide any notices except to the Institution without prior written permission from the Institution.
5.5.3 The Company shall reimburse and indemnify the Institution for all costs imposed on the Institution or reasonably undertaken by the Institution at its discretion associated with a data breach, including but not limited to reimbursement of costs associated with notifying individuals whose information was compromised and notifying required regulatory agencies; fees paid to provide credit monitoring to impacted individuals; legal fees, audit costs, fines, and any other fees or damages reasonably undertaken by or imposed against the Institution as a result of the security breach; and any other notifications, legally mandated responses, or responses reasonably undertaken by the Institution in response to the breach.
6. PROHIBITED USES
6.1 The Company shall not do any of the following:
6.1.1 Sell Institution Data; use or share Institution Data for purposes of targeted advertising; or use Institution Data to create a personal profile of a student other than for accomplishing the purposes described in the Agreement and this Addendum and explicitly authorized in writing by the Institution;
6.1.2 Use information, including persistent unique identifiers, created or gathered by the operator’s site, service, or application to amass a profile about a student, except in furtherance of “K through 12 Institution purposes,”. “Amass a profile” does not include the collection and retention of account information that remains under the control of the student, the student’s parent or legal guardian, or the Institution; or
6.1.3 Sell or rent a student’s information, including covered information. This Section 6.1.3 does not apply to the purchase, merger, or other type of acquisition of the Company by another entity if the Company or its successor entity complies with all relevant law and this Addendum regarding previously acquired Institution Data.
6.2 Notwithstanding the previous paragraphs and any other terms of this Addendum, the Company may use Institution Data for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service, or application as long as such use is authorized by Federal or State law. The Company agrees to notify the Institution if it believes release of Institution Data is otherwise justified under law; however, any such disclosure must be made by the Institution and pursuant to valid state-specific Data Privacy Laws and FERPA exceptions.
7. MISCELLANEOUS
7.1 Service Levels. The Company’s products or services are provided 24 hours per day, 7 days per week. The Company shall ensure 99.5% up-time, Monday through Friday between 6 a.m. and 6 p.m. US Central Time (“Up-time”). Where Up-time percentage averages less than 99.5% in a calendar month, the Institution shall have the right to terminate the Agreement immediately upon written notice to the Company.
7.2 Limited Warranty. For the purposes of this Addendum, a “Defect” is defined as a failure of the Company’s product or service to substantially conform to the then-current Company’s User Guides materials. For as long as the Agreement is in place, the Company warrants that the Company’s products or services will not contain material Defects. If the products or services do not perform as warranted, the Company will use reasonable efforts, consistent with industry standards, to cure the Defect in accordance with the Company’s then current support call process. Should the Company be unable to cure the Defect or provide a replacement product within five business days, the Institution shall have the right to terminate the Agreement immediately upon written notice to the Company.
7.3 Harmful Code. Using a recent version of a reputable virus-checking product (to the extent commercially available), Company will check its software and other systems used by Company to deliver the products or services to the Institution for any harmful code, including, without limitation, any viruses, worms, or similar harmful code, and will use commercially reasonable efforts to eliminate any such harmful code that the Company discovers.
7.4 Indemnification and Insurance. The Company agrees to indemnify, defend and hold harmless the Institution and its officers, directors, employees, agents, attorneys and assigns, against any third-party claims, demands, actions, arbitrations, losses and liabilities resulting from damage caused by the Company employees, contractors, or subcontractors in performing its obligations under the Agreement or this Addendum. The Company shall maintain evidence of workers compensation insurance as required by law and general liability insurance with a minimum limit of $2,000,000. All insurers shall be licensed by the State of Illinois and rated A+-VII or better by A.M. Best or comparable rating service. The comprehensive general liability shall name the Institution, its Board, Board members, employees, agents, and successors as an additional insured with a waiver of subrogation in favor of the Institution. The Company shall provide the Institution with certificates of insurance and/or copies of policies reasonably acceptable to the Institution evidencing the existence of the coverage described above, including form and deductibles, during the duration of the Agreement. The failure to provide acceptable insurance shall be deemed a breach of the Agreement and shall allow the Institution to immediately terminate the Agreement. Certificates of insurance shall indicate that should any of the above-described policies be canceled before the expiration date thereof, notice will be delivered to the Institution in accordance with the policy provisions.
7.5 Infringement. The Company warrants that no third party has any claim to any trademark, patent, or proprietary interest in any product or service the Company provides to the Institution. The Company will defend, hold harmless, and indemnify the Institution from any claims brought by a third party against the Institution to the extent based on an allegation that any Company product or service infringes any U.S. patent, copyright, trademark, trade secret or other proprietary right of a third party. If the Institution’s use of the Company’s products is restricted as the result of a claim of infringement, the Company shall do one of the following: (i) substitute another equally suitable product or service; (ii) modify the allegedly infringing Company product or service to avoid the infringement; or (iii) procure for the Institution the right to continue to use the Company product or service free of the restrictions caused by the infringement.
7.6 No Indemnification or Limitation of Liability by Institution. Any provision included in the Agreement that requires the Institution to indemnify the Company or any other party is deleted and shall not apply to the Institution. Any provision in the Agreement, except for Section 6.7 of this Addendum, that limits the Company’s liability, requires the Institution to release the Company for claims the Institution may have against the Company is deleted. Further, any provisions requiring the Institution to release its class action rights is deleted.
7.7 Mutual Limitation of Liability. Neither party will be liable for breach-of-contract damages that the breaching party could not reasonably have foreseen on entry into this agreement.
7.8 Taxes. The Institution is a tax-exempt organization. Federal excise tax does not apply to the Institution and State Sales Tax does not apply. The amounts to be paid to the Company hereunder are inclusive of all other taxes that may be levied, including sales, use, nonresident, value-added, excise, and similar taxes levied or imposed upon the work. The Company shall be responsible for any taxes levied or imposed upon the income or business privileges of the Company.
7.9 Payments. The Institution shall make payments to the Company in accordance with state law. If the Institution is late in making a payment it shall make interest payments at the maximum amount permitted under the law.
7.10 Force Majeure. Neither party will be liable for any failure or delay in its performance under this Agreement due to any cause beyond its reasonable control, including acts of war, acts of God, acts of terrorism, earthquake, flood, embargo, riot, sabotage, labor shortage or dispute, governmental act or failure of the Internet (not resulting from the actions or inactions of the delayed party), provided that the delayed party: (i) gives the other party prompt notice of such cause, and (ii) uses its reasonable commercial efforts to promptly correct such failure or delay in performance.
7.11 Freedom of Information Act. The Company acknowledges that Institution is subject to FOIA, and that the Institution shall not be in breach of any confidentiality provisions contained in the Agreement if the Institution releases a record in compliance with the FOIA.
7.12 Governing Law. The Agreement and this Addendum shall be governed by, construed, and enforced in accordance with the laws of the State governed by the Institution.
7.13 Renewal of Agreement. The parties may renew the Agreement and this Addendum in writing. Any provision in the Agreement that provides for an automatic renewal of the Agreement is deleted.
7.14 Termination. The Institution may immediately terminate the Agreement if the Institution makes the determination that the Company has breached a material term of the Agreement or this Addendum. In addition, the Institution may terminate this Agreement at any time without cause after providing the Company with 90 days written notice.
7.15 Amendment. No amendment or modification to the Agreement and this Addendum shall be effective unless and until the amendment or modification is in writing and signed by all parties to the Agreement and this Addendum.
7.16 Additional Amendments to Agreement. In addition to the general amendments contained in this Addendum, certain sections of the Agreement shall be amended as specifically set forth below:
7.17 Effective Date. The term for services provided under this Agreement aligns with the NJCAA membership dues cycle and shall run annually from July 1 through June 30 (“Term”).
Execution of this Agreement confirms Customer’s participation for the applicable Term; however, access to services will not be granted until this Agreement is fully executed and all required payments, as applicable through the NJCAA dues process, have been received.