fbpx

Student Data Privacy Agreement (SDPA)

Revision Date: March 11, 2024

Student Data Privacy Agreement (SDPA)

This SDPA is based on the SDPC’s NDPA v1 document. To learn more about the Student Data Privacy Consortium and join, visit this link (here).

This Agreement is made

BETWEEN You, the user

AND SLP Toolkit, LLC

This Student Data Privacy Agreement (“SDPA”) is made and entered into by and between the user when signing up through the Kit app (the “User”), who has created a Kit account, and SLP Toolkit, LLC (“SLP Toolkit”), whose principal place of business is 124 W. 1st St. Suite 101 Mesa, Arizona 85201 (collectively the “Parties”). The Parties agree to the terms as stated herein.

RECITALS

WHEREAS, SLP Toolkit has agreed to provide the User with access to online software; and

WHEREAS, the User has purchased an SLP Toolkit account and has control over the data associated with the account; and

WHEREAS, the User may provide data that is covered by a number of federal and local laws, among them, the Family Educational Rights and Privacy Act (“FERPA”); and

WHEREAS, the data transferred from the User and/or stored by SLP Toolkit when providing access to online software, is also subject to those privacy laws; and

WHEREAS, the Parties wish to enter into this SDPA to ensure that accessing and/or transferring of data complies with the requirements of the privacy laws referenced above and to establish required procedures and duties; and

NOW THEREFORE, for good and valuable consideration, the Parties agree as described in the following sections.

ARTICLE I: PURPOSE AND SCOPE

  1. Purpose of SDPA. For SLP Toolkit to provide digital educational services (“Services”) to the User, it may become necessary for the User to share certain data related to the User’s students, employees, business practices, and/or intellectual property. This SDPA describes the responsibilities of the User and of SLP Toolkit with respect to the data and services provided.

  2. Student Data to Be Provided. In order to perform the Services described in the SDPA, the User will likely provide, among other data, the categories of student data described below.

  3. Name, IEP Date, Eval Date, School, IEP Service Time, Teacher, Grade level, Date of Birth, or other related information at the discretion of the SLP. A complete list of information can be found in the SLP Toolkit Knowledge Base (https://slp-toolkit-tutorials-and-faqs.groovehq.com/help/student-data-elements-we-collect).

  4. Order of Precedence. This SDPA is a general catch-all agreement between SLP Toolkit and all users who provide student data. In the event of a conflict or inconsistency between this SDPA and any other stated or agreed upon policies, terms, or conditions, with the User or an organization affiliated with the User, this SDPA does not take precedence and does not supersede any such past or future agreement.

ARTICLE II: DATA OWNERSHIP AND AUTHORIZED ACCESS

  1. Data Property of User. All educational information, personally identifiable information, and/or directory information for students (“Student Data”) transmitted from the User to SLP Toolkit pursuant to the SDPA is and will continue to be the property of and under the control of the User. SLP Toolkit further acknowledges and agrees that all copies of such Student Data transmitted to SLP Toolkit, including any modifications or additions or any portion thereof from any source, are subject to the provisions of this SDPA in the same manner as the original Student Data. The Parties agree that as between them all rights, including all intellectual property rights in and to Student Data contemplated per the SDPA shall remain the exclusive property of the User.

  2. No Unauthorized Use or Disclosure. SLP Toolkit shall not use Student Data for any purpose other than as explicitly specified in the SDPA. SLP Toolkit will not use, disclose, compile, transfer, or sell the Student Data and/or any portion thereof to any third party or other entity, or allow any other third party or other entity to use, disclose, compile, transfer or sell the Student Data and/or any portion thereof, except as may be required in connection with providing the Services. SLP Toolkit shall not make any re-disclosure of any Student Data, including metadata, persistent unique identifiers, or other non-public information or PII, without the express written consent of the User.

  3. Third Party Request. In the event that a parent of a student or other individual contacts SLP Toolkit to review any Student Data, SLP Toolkit shall refer the parent or individual to the User, who will follow the necessary and proper procedures regarding the requested information. Should a third party, including law enforcement and government entities, contact SLP Toolkit with a request for data held by SLP Toolkit pursuant to the Services, SLP Toolkit shall redirect the third party to request the data directly from the User. SLP Toolkit shall notify the User in advance of a compelled disclosure to a third party.

  4. Subprocessors. SLP Toolkit shall enter into written agreements with all subprocessors performing functions pursuant to the SDPA, whereby the subprocessors agree to protect Student Data in a manner consistent with the terms of this SDPA.

ARTICLE III: DUTIES OF User

  1. Provide Data In Compliance With State and Federal Law. The User shall allow SLP Toolkit access to data necessary to perform the Services, and pursuant to the terms of this SDPA, and in compliance with FERPA and all other applicable privacy statutes.

  2. Reasonable Precautions. The User shall take reasonable precautions to secure user names, passwords, and any other means of gaining access to the Services and hosted data.

  3. Unauthorized Access Notification. User shall notify SLP Toolkit promptly of any known or suspected unauthorized access. User will assist SLP Toolkit in any efforts by SLP Toolkit to investigate and respond to any unauthorized access.

ARTICLE IV: DUTIES OF SLP TOOLKIT

  1. Privacy Compliance. The Parties expect that SLP Toolkit may receive personally identifiable information (“PII”) in Student Data from the User. SLP Toolkit shall comply with all applicable state and Federal laws and regulations pertaining to data privacy and security, including FERPA and all other applicable privacy statutes. The Parties agree that SLP Toolkit is a “school official” under FERPA and has a legitimate educational interest in PII from Student Data. For purposes of the SDPA, SLP Toolkit:

    • provides a service or function for which the User would otherwise use employees;

    • is under the direct control of the User with respect to the use and maintenance of education records; and

    • is subject to the requirements of FERPA governing the use and redisclosure of Student Data.

  2. Employee Obligation. SLP Toolkit shall require all employees and agents who have access to Student Data to comply with all applicable provisions of this SDPA with respect to the data shared under the SDPA. SLP Toolkit agrees to require and maintain an appropriate confidentiality agreement from each employee or agent with access to Student Data pursuant to the SDPA.

  3. Aggregate Data. SLP Toolkit may use aggregate data only for the purposes of development, research, and improvement of educational sites, services, or applications. SLP Toolkit agrees not to attempt to re-identify de-identified Student Data. SLP Toolkit shall not copy, reproduce or transmit any Student Data obtained under the SDPA and/or any portion thereof, except as necessary to fulfill the SDPA.

  4. Disposition of Student Data. Student Data associated with a cancelled account is deleted on a schedule (typically 90 days), provided that the User does not reactivate the account. The User has the ability to delete SLP and Student Data associated with their accounts at any time using the software or by special request, except in instances where such data is otherwise prohibited from deletion or required to be retained under state or federal law, or stored as a copy as part of a disaster recovery storage system and that is (a) inaccessible to the public, and (b) unable to be used in the normal course of business by SLP Toolkit. Disposition shall include (a) Electronic Student Data record destruction; or (b) Otherwise modifying Student Data in those records to make it unreadable. If a special request is made to delete Student Data owned by the User, SLP Toolkit shall provide written notification to User when the Student Data has been disposed of. The duty to dispose of Student Data shall not extend to data that has been aggregated and de-identified pursuant to the other terms of the DSPA. The User understands and agrees that Student Data backups and audit logs are not easily parsed or accessible, and are not immediately destroyed upon request or the termination of any agreement between the parties.

  5. Advertising Prohibition. SLP Toolkit is prohibited from using or selling Student Data to (a) market or advertise to students or families/guardians; (b) inform, influence, or enable marketing, targeted advertising, or other commercial efforts by SLP Toolkit; (c) develop a profile of a student, family member/guardian or group, for any commercial purpose other than providing the Service to the User; or (d) use the Student Data for the development of commercial products or services, other than as necessary to provide the Services to the User. This section does not prohibit SLP Toolkit from generating legitimate personalized learning recommendations.

  6. Access to Student Data. If Student Data owned by the User is not accessible to the User by circumstances out of the normal course of operation, SLP Toolkit shall assist to make Student Data available to the User within five (5) business days of a request by the User.

ARTICLE V: DATA PROVISIONS

  1. Confidentiality Measures. SLP Toolkit agrees to implement appropriate measures designed to ensure the confidentiality of Student Data and other data, protect against any anticipated hazards or threats to the integrity or security of such information, protect against unauthorized access or disclosure of information, and prevent any other action that could result in substantial harm to the User or an individual identified with the data or information in SLP Toolkit’s custody.

  2. SLP Toolkit certifies that it has implemented policies and procedures to protect against reasonably foreseeable unauthorized access to, or disclosure of, Student Data or other data, and to prevent other reasonably foreseeable events that may result in substantial harm to the User or any individual student. SLP Toolkit shall not permit User data or Student Data to be maintained or stored on any of SLP Toolkit’s Mobile Device or Portable Storage Medium unless it is encrypted.

  3. Data Breach. SLP Toolkit will notify the User when there has been an unauthorized release, breach, disclosure, or acquisition of Student Data owned by the User. Such notification will follow the standard procedures below. In the event that Student Data is accessed or obtained by an unauthorized individual, SLP Toolkit will notify User of the incident within 72 hours of breach confirmation using the following process:

    • The security breach notification will be delivered via electronic mail to the User, at the email address on file with SLP Toolkit. Every reasonable attempt will be made to obtain confirmation that the information is received.

    • The notification will be titled “Notice of Student Data Breach”, and will contain the following information:

      • What Happened – how the breach was able to occur, and when the breach occurred

      • What Information Was Involved – the specific information that may have been compromised by the breach

      • What We Are Doing – the current and next steps in SLP Toolkit procedures that are being followed

      • What You Can Do – steps User can take to help

      • For More Information – contact information and resources for additional information.

    • SLP Toolkit will assist any local education agency to issue additional notifications as required by law.

    • Due to the type of student data and the encrypted state of the data stored by SLP Toolkit, risk of substantial damage resulting from a student data breach is low. However, any direct costs associated with repairing damage from a student data breach where SLP Toolkit is at fault may be submitted for payment review. SLP Toolkit maintains a cyber security insurance policy to handle such events. The User understands that damage claims are subject to review before payment.

ARTICLE VI: MISCELLANEOUS

  1. Term. This SDPA will remain in effect the date SLP Toolkit begins providing the Services to the User, and shall expire when SLP Toolkit no longer provides the Services to the User, or is terminated by either party in accordance with this SDPA. Either party may also terminate this SDPA immediately upon the other party’s breach of this SDPA. SLP Toolkit shall be bound by the confidentiality of Student Data provisions of this SDPA for as long as SLP Toolkit possesses the User’s Data.

  2. Termination. In the event that either party seeks to terminate this SDPA, they may do so by mutual written consent.

  3. Effect of Termination Survival. If the SDPA is terminated, SLP Toolkit shall dispose of the User’s Data as stated in Article IV, section 4, Disposition of Student Data.

  4. Notice. All notices or other communication required or permitted to be given hereunder must be in writing and given by email transmission and sent to the designated representative. The designated representative for SLP Toolkit for this SDPA is: Paul Keck, Privacy Officer (privacy@slptoolkit.com)

  5. Severability. Any provision of this SDPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this SDPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this SDPA or affecting the validity or enforceability of such provision in any other jurisdiction.

  6. Authority. SLP Toolkit represents that it is authorized to bind to the terms of this SDPA, including confidentiality and destruction of Student Data and any portion thereof contained therein, all related or associated institutions, individuals, employees or contractors who may have access to the Student Data and/or any portion thereof, or may own, lease or control equipment or facilities of any kind where the Student Data and portion thereof is stored, maintained or used in any way.

  7. Jurisdiction. User consents to personal jurisdiction and exclusive venue in the state and federal courts located in Maricopa County, Arizona. The prevailing party, as determined by the decision-maker, in any arbitration, court action, or proceeding is entitled to its reasonable attorneys’ fees and costs.

  8. Governing Law. This Agreement is governed by and construed according to the laws of the state of Arizona, without reference to any conflicts of laws provisions.

  9. Waiver. Waiver by any party to this SDPA of any breach of any provision of this SDPA or warranty of representation set forth herein shall not be construed as a waiver of any subsequent breach of the same or any other provision. The failure to exercise any right under this SDPA shall not operate as a waiver of such right. All rights and remedies provided for in this SDPA are cumulative. Nothing in this SDPA shall be construed as a waiver or relinquishment of any governmental immunities or defenses on behalf of the User, its officers, employees, and agents as a result of the execution of this SDPA or performance of the functions or obligations described herein.

  10. Assignment. None of the parties to this SDPA may assign their rights, duties, or obligations under this SDPA, either in whole or in part, without the prior written consent of the other party to this SDPA.

IN WITNESS WHEREOF, the parties have executed this SDPA as of the day the user signed up to use the SLP Toolkit app.