Level All DPA Table of Contents
Level All Data Protection Addendum (DPA)
1. Introduction
This Data Protection Addendum (the “
DPA”) applies to the processing of Personal Data of Authorized Users in the United States and forms part of the Level All Affiliation Terms (available at
www.levelall.com/affiliation-terms) (the “
Agreement”) entered into between Level All, Inc. (“
Level All,” “
we,” “
us” or “
our”) and the Organization that is identified in the applicable Order Form (“
Organization”, “
you” and “
your”).
2. Definitions.
Capitalized words used in this Data Protection Addendum that are not expressly defined in this Data Protection Addendum have the meaning set forth in the Agreement.
(a) “
Data Protection Legislation” means applicable federal, state, local, and municipal laws and regulations in the United States that relate to the privacy, data protection or data security of Personal Data.
(b) “
Process” shall have the same meaning as set out in the applicable Data Protection Legislation or if no such meaning or concept exists, it shall be the means by which Level All collects, uses, stores, discloses, or transfers Personal Data.
3. Compliance with Laws; Roles. Each Party shall comply with all Data Protection Legislation applicable to it in its respective Processing of Personal Data under the Agreement. For purposes this the Agreement and as between the Parties, Organization is the controller of the Personal Data and Level All is the processor of such data.
4. Notices and Consents. Organization shall provide all notices and obtain all such consents required under applicable Data Protection Legislation from the Authorized Users to allow Level All to Process the Personal Data to provide the Platform and the Services, for the Purposes (as defined below) and as otherwise described in the Agreement, including in this Data Protection Addendum (the “
Notices and Consents”). Organization represents and warrants that it has obtained and will maintain the Notices and Consents for all Authorized Users through the entire term of the Agreement.
5. Details of Processing. Personal Data will be Processed for the purposes set forth in the Agreement, Exhibit A to the Agreement, and Level All’s Privacy Policy (collectively, the “
Purposes”).
6. Level All Obligations. Level All shall implement and maintain reasonable administrative, technical and organizational measures that are designed to preserve the confidentiality and availability of all Personal Data Processed by Level All via the Platform. Level All’s technical and organizational measures, as set forth in Level All’s Information Security Plan, are available upon request and may be updated from time to time. Organization has reviewed such measures and agrees that the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data hereunder.
Level All shall take reasonable steps to ensure the reliability and integrity of any employees who have access to the Personal Data and ensure that employees are under a duty of confidentiality with respect to their Processing of the Personal Data.
Level All engages certain third-party entities to Process the Organization Data on Level All’s behalf (“Sub-processors”). Level All shall enter into a written contract with each Sub-processor containing terms that offer substantially similar levels of data protection obligations and protection for Personal Data as those set out in this Section. Level All shall be liable for all acts and omissions of any Sub-processor to the same extent Level All would be under the Agreement if they were Level All’s acts or omissions. Organization consents to Level All engaging the Sub-processors for the Purposes.
If Level All becomes aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data (a “Security Incident”), Level All shall inform Organization, within a reasonable amount of time, taking into account the timeframes required by Data Protection Legislation, with respect to the Security Incident. Level All will provide reasonable information, cooperation, and updates of material developments to enable Organization to fulfill any data breach reporting obligations it may have under Data Protection Legislation. However, Level All’s provision of information and cooperation shall be at Organization’s cost and expense to the extent any Security Incidents were caused by Organization or the Authorized Users or Data Subjects (as defined below). Level All may take such other measures as it deems appropriate to mitigate the effects of the Security Incident.
7. Data Subject Inquiries. Organization shall be solely responsible for responding to and fulfilling any inquiries from Authorized Users and other data subjects, including parents and legal guardians of Authorized Users where the Authorized User is a student of Organization (collectively, “Data Subjects”), regarding their Personal Data in connection with the Processing under the Agreement, including any requests to exercise their rights under applicable Data Protection Legislation, and Organization shall handle all Data Subject inquiries in accordance with applicable Data Protection Legislation. Organization understands that Level All is not required to take any action in response to any requests from Data Subjects except to notify such Data Subjects to contact Organization. To the extent Organization cannot obtain a copy of, delete or amend the Personal Data directly within the Platform, Organization may contact Level All and Level All, with Organization’s express written permission and provided Organization has obtained the appropriate consent from the applicable Data Subject, will provide a copy of, delete or amend such Data Subject’s Personal Data in accordance with Organization’s instructions. To the extent legally permitted, Organization shall be responsible for reasonable costs arising out of Level All’s provision of assistance with Organization’s Data Subject requests. Organization shall indemnify, defend, and hold harmless Level All and its affiliates, subsidiaries, successors and assigns (and the officers, directors, employees, sublicensees, Organizations, and agents of Level All and its affiliates, subsidiaries, successors, and assigns), from and against any and all losses, demands, liabilities, damages, fines, settlements, expenses, and costs (including without limitation reasonable attorneys’ fees and costs), arising from, in connection with, Level All complying with Organization’s instructions under this Agreement.
8. Authorized Disclosure of Personal Data.
Organization acknowledges and agrees that, at Organization’s request and reasonable cost, Level All may provide Personal Data to third-parties or other entities to whom Organization requests Level All provide Personal Data (e.g., State Board of Education). Organization shall make such a request to disclose Personal Data in writing (“Authorization”). Organization acknowledges and agrees that each Authorization will result in Organization electing, in its sole discretion, to transfer the Personal Data to the recipients that Organization selects.
The entities identified in Section 8(a) are collectively defined as “Recipients.”
Organization acknowledges Personal Data may be subject to Data Protection Legislation. Organization will hold Level All harmless and not liable in any way for Level All’s disclosure of Personal Data to the Recipients in accordance with an Authorization.
Level All makes no warranty (a) that the use of the Personal Data by the Recipient is valid or in compliance with applicable Data Protection Legislation or Organization’s policies or (b) that Personal Data will remain secure upon transfer to the Recipient and disclaims any responsibility for the transfer. Organization acknowledges that the Personal Data will be provided on an “as is”, “as available” basis.
9. Data Retention. Level All will delete Personal Data within a reasonable amount of time after the termination or expiration of the Agreement, except that Level All may retain Personal Data as required by applicable legal requirements or as agreed by Organization. For the avoidance of doubt, the foregoing shall not apply to Anonymized Data (as defined below).
10. Level All Data. Organization acknowledges and agrees that Level All may create and derive performance, system, operational data, aggregated data, anonymized data and de-identified data from Processing related to the Agreement, including in connection with the Platform (collectively, “Anonymized Data”). In generating such data, Level All shall (a) take reasonable measures to ensure that such information cannot be associated with a Data Subject, (b) where required by applicable Data Protection Legislation, publicly commit to maintain and use the information in aggregated, anonymized or de-identified form, and (c) not attempt to reidentify the information, except as permitted under Data Protection Legislation.
11. Education Records. As applicable, to the extent Level All has access to “Education Records” and “Personally Identifiable Information” (as those terms are defined in the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations, 34 C.F.R. Part 99 (together, “FERPA”)) in connection with its provision of the Products: (a) Organization agrees that Level All has met the criteria for being a “School Official” with “Legitimate Educational Interests” (as those terms are used in FERPA) in such Education Records and Personally Identifiable Information, and/or the disclosure of such Education Records and Personally Identifiable Information to Level All meets one or more of the other conditions specified in 34 C.F.R. § 99.31; and (b) Level All agrees that such Education Records and Personally Identifiable Information will be used only for authorized purposes under the Agreement, and it will not redisclose such Education Records or Personally Identifiable Information except with Authorization from Organization and where such redisclosure is otherwise permitted under FERPA.
12. State Specific Privacy Addenda. If and then to the extent applicable, the Parties agree to the State Specific Data Protection Addenda for the applicable state(s) attached and incorporated into this DPA as Exhibit 1.
13. Updates to this DPA. Notwithstanding anything to the contrary in the Agreement, Level All reserves the right to modify this DPA from time to time in its sole discretion and without Organization’s prior consent except where required by applicable law (“Updated DPA”). Organization agrees that any Updated DPA will be effective immediately upon Level All emailing the Updated DPA to Organization, unless Level All is required by applicable law to obtain Organization’s consent, in which case, such Updated DPA will be effective immediately upon the provision of such consent. Level All will also endeavor to notify Organization of any material revision to this DPA at least ten (10) days prior to such revision coming into effect, using Organization’s email address as set forth in the Order Form.
Exhibit 1
Level All DPA State-Specific Addenda
Capitalized words used in the State Specific Data Protection Addenda but not defined herein have the meanings given to them in the Data Protection Addendum or in the Agreement.
California
With respect to Pupil Records (as defined in Cal. Educ. Code § 49073.1) that Level All processes on behalf of an Organization in California, the following provisions shall apply to the extent required by applicable law (for the avoidance of doubt Pupil Records are a subset of Personal Data as it is defined in the Agreement):
Pupil Records that Level All processes on behalf of Organization are the property of and under the control of Organization, except an Authorized User may retain possession and control of content generated by the Authorized User where the Authorized User opens a personal account.
Level All shall limit its use of Pupil Records to those purposes specified in the Agreement, the Data Protection Addendum, and the Privacy Policy.
Procedures for the review and correction of Pupil Records shall be in accordance with the Data Protection Addendum.
Level All shall implement, maintain, and use reasonable measures to ensure the security and confidentiality of Pupil Records as specified in the Data Protection Addendum.
Procedures for notification in the event of unauthorized disclosure of Pupil Records shall be in accordance with the terms of the Data Protection Addendum.
Level All certifies that retention of Pupil Records shall be limited in accordance with the terms of the Data Protection Addendum.
Level All’s and Organization’s access to and use of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to the terms of the Data Protection Addendum.
Level All shall not use Personal Data in Pupil Records to engage in targeted advertising.
Colorado
With respect to Student Personally Identifiable Information (as defined in Colo. Rev. Stat. Ann. § 22-16-103) that Level All processes on behalf of an Organization in Colorado, the following provisions shall apply to the extent required by applicable law:
Level All shall comply in all material respects with the requirements of Colo. Rev. Stat. § 22-16-108 with regard to the provision of clear information regarding collection, use, and disclosure of Student Personally Identifiable Information, as specified in the Data Protection Addendum and Privacy Policy.
Level All shall comply in all material respects with Colo. Rev. Stat. § 22-16-109 with regard to the collection, use, and disclosure of Student Personally Identifiable Information, as specified in the Data Protection Addendum and Privacy Policy.
Level All shall comply in all material respects with the requirements of Colo. Rev. Stat. § 22-16-110 with regard to data security and retention of Student Personally identifiable information, as specified in the Data Protection Addendum and Privacy Policy.
Connecticut
With respect to Student Information, Student Records, and Student-generated Content (as those terms are defined in Conn. Gen. Stat. § 10-234aa) (collectively, “CT Student Data”) that Level All processes on behalf of an Organization in Connecticut, the following provisions shall apply to the extent required by applicable law:
CT Student Data that Level All processes on behalf of Organization are Organization Data and under the control of Organization.
Level All retention of CT Student Data shall be in accordance with the Data Protection Addendum and Privacy Policy.
Level All shall limit its use of CT Student Data to those purposes specified in the Agreement, Data Protection Addendum, and Privacy Policy.
Procedures for the review and correction of CT Student Data shall be in accordance with the Privacy Policy.
Level All shall implement, maintain, and use reasonable measures to ensure the security and confidentiality of CT Student Data as specified in the Data Protection Addendum.
Procedures for notification in the event of unauthorized disclosure of CT Student Data shall be in accordance with the terms of the Data Protection Addendum.
Level All and Organization access to and use of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to the terms of the Data Protection Addendum.
Laws of the state of Connecticut shall govern rights and duties with regard to CT Student Data, as specified in the Agreement.
In the event that any provision or the application of the Agreement or Data Protection Addendum is held invalid by a court of competent jurisdiction, severability of terms shall be in accordance with the Agreement.
District of Columbia
With respect to Personally Identifiable Student Information (as defined in D.C. Code § 38-831.01(14)) that Level All processes on behalf of an Organization in the District of Columbia, the following provisions shall apply to the extent required by applicable law:
Procedures for notification in the event of unauthorized disclosure of Personally Identifiable Student Information shall be in accordance with the terms of the Data Protection Addendum.
Personally Identifiable Student Information that Level All processes on behalf of Organization are Organization Data and under the control of Organization.
Retention of Personally Identifiable Student Information shall be limited in accordance with the terms of the Data Protection Addendum.
Idaho
With respect to Student Data (as defined in Idaho Code Ann. § 33-133) that Level All processes on behalf of an Organization in Idaho, the following provisions shall apply to the extent required by applicable law (for the avoidance of doubt Student Data are a subset of Personal Data as it is defined in the Agreement):
Level All is permitted to use De-Identified Data, which may include Aggregated Data, as disclosed in the Data Protection Addendum and Privacy Policy, as applicable.
Level All is permitted to use Student Data for secondary uses with consent of a student’s parent or guardian and as disclosed in accordance with the Data Protection Addendum and Privacy Policy, as applicable.
Level All shall not use (including for marketing or advertising purposes) or sell Student Data except as specified in the Data Protection Addendum or with express prior parental consent.
Illinois
With respect to Covered Information (as defined in 105 Ill. Comp. Stat. Ann § 85/5) that Level All processes on behalf of an Organization in Illinois, the following provisions shall apply to the extent required by applicable law (for the avoidance of doubt Covered Information is a subset of Personal Data as it is defined in the Agreement):
The types of Covered Information for which Level All may act as a processor on behalf of Organization under the Agreement are specified in the Data Protection Addendum and Privacy Policy, as applicable.
The Services provided to Organization by Level All are specified in the Agreement.
Level All and Organization’s access to and use and disclosure of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to FERPA, in accordance with the terms of the Data Protection Addendum.
Procedures in the event of a security breach shall be in accordance with the terms of the Data Protection Addendum; provided that, if the security breach is attributed to Level All, any costs and expenses incurred by the Organization in investigating and remediating the breach will be allocated between Level All and the Organization.
Level All’s retention of Covered Information shall be in accordance with the Data Protection Addendum and Privacy Policy, as applicable.
Level All agrees that Organization may publish a redacted copy of the Agreement and Data Protection Addendum on its website and/or make the documents available for inspection by the general public at its administrative office, as applicable.
New York
With respect to personally identifiable information (as defined in N.Y. Comp. Codes R. & Regs. tit. 8, § 121.1(m)) (“NY PII”) that Level All processes on behalf of an Organization in New York, the following provisions shall apply to the extent required by applicable law (for the avoidance of doubt, NY PII is a subset of Personal Data as defined in the Agreement):
Level All certifies that its technologies, safeguards and practices align with the NIST Cybersecurity Framework.
Level All shall comply in all material respects with Organization’s data security and privacy policy and applicable state and federal laws.
Level All shall limit access to NY PII it processes on behalf of Organization in accordance with the Data Protection Addendum and Privacy Policy.
Level All shall limit its use of NY PII to those purposes specified in the Terms of Service, Agreement, Data Protection Addendum, and Privacy Policy, as applicable.
Level All shall not disclose NY PII except in accordance with the Data Protection Addendum and Privacy Policy.
Level All shall implement, maintain, and use reasonable measures that are designed to ensure the security and confidentiality of NY PII as specified in the Data Protection Addendum.
Level All shall use encryption to protect electronic NY PII in transit or in storage.
Level All shall not sell NY PII and shall limit its use and disclosure of NY PII in accordance with the Data Protection Addendum and Privacy Policy.
Data Security and Privacy Plan
Level All will implement applicable data security and privacy requirements as specified in the Data Protection Addendum.
Level All shall implement, maintain, and use reasonable measures that are designed to ensure the security and confidentiality of NY PII as specified in the Data Protection Addendum.
Level All shall comply in all material respects with the terms of the New York Parents’ Bill of Rights set forth at
www.levelall.com/nyparentsbillofrights or such other parents’ bill of rights that the parties mutually agree upon in writing.
Level All shall train its officers and employees on applicable laws prior to granting access to Authorized User data as specified in the Data Protection Addendum.
Level All shall require that Sub-processors protect NY PII and manage breaches and unauthorized disclosure as specified in the Data Protection Addendum.
Level All shall manage data security and privacy incidents as specified in the Data Protection Addendum. Procedures for notification in the event of breaches and unauthorized disclosures shall be in accordance with the terms of the Data Protection Addendum.
Level All’s retention of NY PII shall be limited in accordance with the Data Protection Addendum.
Utah
With respect to Student Data (as defined in Utah Code Ann. § 53E-9-301(17)) that Level All processes on behalf of an Organization in Utah, the following provisions shall apply to the extent required by applicable law:
Level All shall limit its collection, use, storage, and sharing of Student Data to those purposes specified in the Agreement, Data Protection Addendum, and Privacy Policy, as applicable.
Processing of Student Data by Sub-processors shall be in accordance with the Data Protection Addendum and Privacy Policy, as applicable.
Level All’s retention of Student Data shall be limited in accordance with the terms of the Agreement Data Protection Addendum, and Privacy Policy, as applicable.
Level All shall not use Student Data for purposes other than those specified in the Agreement and Data Protection Addendum and except as permitted by Utah Code Ann. § 53E-9-309(4) or as requested by the Organization.
Level All agrees that, at Organization’s request, Organization or Organization’s designee may conduct an audit of Level All, in accordance with reasonable and mutually agreed-upon procedures, to verify compliance with the Agreement and Data Processing Agreement to the extent required by Utah Code Ann. § 53E-9-309.
Virginia
With respect to Student Personal Information (as defined in Va. Code Ann. § 22.1-289.01) that Level All processes on behalf of an Organization in Virginia, the following provisions shall apply to the extent required by applicable law:
The types of Student Personal Information for which Level All may act as a processor on behalf of Organization shall be specified in the Data Protection Addendum and Privacy Policy, as applicable.
Privacy of Student Personal Information processed by Level All on behalf of Organization shall be subject to the Data Protection Addendum and Privacy Policy, as applicable, and notification of material changes shall be in accordance with the Data Protection Addendum.
Level All shall maintain reasonable measures to ensure the security, privacy, confidentiality, and integrity of Student Personal Information as specified in the Data Protection Addendum.
Procedures for access to and the review and correction of Student Personal Information shall be in accordance with the Data Protection Addendum and Privacy Policy, as applicable.
Level All shall not collect, maintain, use, or share Student Personal Information except for purposes specified in the Agreement, Data Protection Addendum, and/or Privacy Policy, except with consent of the Organization or student’s parent or legal guardian, as applicable.
Level All shall require that its Sub-processors of Student Personal Information on behalf of Organization comply with Level All’s policies and security measures in accordance with the Data Protection Addendum.
Level All’s retention of Student Personal Information shall be limited in accordance with the terms of the Data Protection Addendum and Privacy Policy, as applicable.
Level All shall not use Student Personal Information to engage in targeted advertising to students.
Level All shall not use Student Personal Information to create a personal profile of a student, except for the purposes specified in the Agreement, Data Protection Addendum, and Privacy Policy, as applicable.
Level All shall not knowingly sell Student Personal Information except the extent that Level All is sold to or acquired by a successor entity that purchases, merges with, or otherwise acquires Level All
