Skip to main content

Canandaigua City School District

One Community, Transforming Lives

Software Vendor Agreement

 

https://api.droplet.io/v1/assets/drplt-fi-p-RWDMxA-K4Oo6N-gGrRJYgJLMu1YMDL5Zr2HX81mmR-304-100.png

SOFTWARE VENDOR AGREEMENT

This Agreement, made and entered into (Effective Date), by and between ("Vendor"), with a main office at ("Vendor Address"), and the Canandaigua City School District, having an office at 143 North Pearl St., Canandaigua, NY 14424 ("School District") (collectively "Parties").

In consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

Vendor hereby grants to School District, including to all School District's authorized users, a non-exclusive, non-sublicensable, non-assignable and royalty-free license to access and use the service (the "Services") solely for School District's operations in accordance with the terms of this Agreement.

1. Data Accessed by Vendor

Vendor shall identify categories of all data accessed by Vendor or its subcontractors as part of this Agreement as set forth in Addendum B.

2. Term of Services

This Agreement begins on the Effective Date and will continue for a period of one (1) year, unless terminated pursuant to Section 3 below (the "Term").

3. Termination

This Agreement may be terminated as follows:

  1. By the School District upon thirty (30) days prior written notice to Vendor;
  2. By the School District immediately in the event of breach by the Vendor; and
  3. By either Party upon written mutual agreement.

4. Payment

Payment shall be made in accordance with Addendum C attached hereto.

5. Protection of Confidential Data

Vendor shall provide its Services in a manner which protects Student Data (as defined by 8 NYCRR § 121.1(q)) and Teacher or Principal Data (as defined by 8 NYCRR § 121.1(r)) (hereinafter "Confidential Data") in accordance with the requirements articulated under Federal, State and local laws and regulations, including but not limited to the foregoing:

  • (a) Vendor will adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework.
  • (b) Vendor will comply with the School District Data Security and Privacy Policy, Education Law § 2-d, and 8 NYCRR § 121.
  • (c) Vendor will limit internal access to personally identifiable information to only those employees or subcontractors that need access to provide the contracted services.
  • (d) Vendor will not use the personally identifiable information for any purpose not explicitly authorized in this Agreement.
  • (e) Vendor will not disclose any personally identifiable information to any other party without the prior written consent of the parent or eligible student, unless otherwise authorized pursuant to applicable law.
  • (f) Vendor will maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable information in its custody.
  • (g) Vendor will use encryption to protect personally identifiable information in its custody while in motion or at rest.
  • (h) Vendor will not sell personally identifiable information nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.
  • (i) In the event Vendor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the Vendor shall apply to the subcontractor.

6. Data Breach

In the event that Confidential Data is accessed or obtained by an unauthorized individual, Vendor shall provide notification to the School District without unreasonable delay and not more than seven (7) calendar days after the discovery of such breach. Vendor shall follow the following process:

  • (a) The security breach notification shall be titled "Notice of Data Breach," shall be clear, concise, use language that is plain and easy to understand, and to the extent available, shall include: a brief description of the breach or unauthorized release; the dates of the incident and the date of discovery; a description of the types of Confidential Data affected; an estimate of the number of records affected; a brief description of the Vendor's investigation or plan to investigate; and contact information for representatives who can assist the School District with additional questions.
  • (b) The Vendor shall also prepare a statement for parents and eligible students which provides information under the following categories: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information."
  • (c) Where a breach or unauthorized release of Confidential Data is attributed to Vendor, and/or a subcontractor or affiliate of Vendor, Vendor shall pay for or promptly reimburse the School District for the cost of notification to parents and eligible students of the breach.
  • (d) Vendor shall cooperate with the School District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Confidential Data.
  • (e) Vendor further acknowledges and agrees to have a written incident response plan that is consistent with industry standards and Federal and State laws for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Confidential Data or any portion thereof. Upon request, Vendor shall provide a copy of said written incident response plan to the School District.

7. Indemnification

Vendor shall at all times (both during and after the Term of this Agreement), indemnify, defend and hold harmless the School District, its agents, employees, and students (collectively for purposes of this Section, "the School District"), from and against any and all settlements, losses, damages, costs, counsel fees and all other expenses relating to or arising from (a) Vendor's failure to comply with the terms of this Agreement; and/or (b) the negligent operations, acts or omissions of the Vendor.

8. Compliance with Laws

Vendor, its employees and representatives shall at all times comply with all applicable Federal, State and local laws, rules and regulations.

9. Independent Relationship

It is expressly intended by the Parties hereto, and Vendor hereby specifically warrants, represents and agrees, that Vendor and the School District are independent entities. The Parties intend that this Agreement is strictly between two independent entities and does not create an employer/employee relationship for any purpose. Vendor shall perform the duties contemplated by this Agreement as an independent entity, to whom no benefits shall accrue except for those benefits expressly set forth in this Agreement.

10. Assignment

This Agreement is binding upon the Parties and their respective successors and assigns, but Vendor's obligations under this Agreement are not assignable without the prior written consent of the School District. Any assignment without the School District's consent shall be null and void.

11. Governing Law

This Agreement and any Services provided hereunder shall be governed by the laws of the State of New York both as to interpretation and performance, without regard to its choice of law requirements.

12. Waiver

No delay or omission of the School District to exercise any right hereunder shall be construed as a waiver of any such right and the School District reserves the right to exercise any such right from time to time, as often as may be deemed expedient.

13. Addendums

The following Addenda are attached hereto and incorporated herein:

Addendum Reference

Description of Specifications and Services

 

Addendum A

Description of Specifications and Services

Addendum B

Schedule of Data

Addendum C

Payment Schedule

Addendum D

School District's Parents' Bill of Rights

Addendum E

Parents' Bill of Rights - Supplemental Information Addendum

Addendum F

Vendor's Data Security and Privacy Plan

14. Severability

Should any part of this Agreement for any reason be declared by any court of competent jurisdiction to be invalid, such decision shall not affect the validity of any remaining portion, which remaining portion shall continue in full force and effect as if this Agreement had been executed with the invalid portion hereof eliminated, it being the intention of the Parties that they would have executed the remaining portion of this Agreement without including any such part, parts or portions which may for any reason be hereafter declared invalid.

15. Entire Agreement

This Agreement and its Addendums constitute the entire Agreement between the Parties with respect to the subject matter hereof and shall supersede all previous negotiations, commitments and writings. It shall not be released, discharged, changed or modified except by an instrument in writing signed by a duly authorized representative of each of the Parties.

Addendum D

Parents' Bill of Rights for Student Data Privacy and Security

The Canandaigua City School District, in recognition of the risk of identity theft and unwarranted invasion of privacy, affirms its commitment to safeguarding student personally identifiable information (PII) in educational records from unauthorized access or disclosure in accordance with State and Federal law.

Pursuant to Education Law Section 2-d and the associated regulations (Part 121), the Canandaigua City School District establishes the following parental bill of rights:

  • A student's personally identifiable information (PII) cannot be sold or released by the Canandaigua City School District for any marketing or commercial purposes;
  • Parents have the right to inspect and review the complete contents of their child's education record. This right of inspection is consistent with the requirements of the Family Educational Rights and Privacy Act (FERPA) and the District's policies (for more information about how to exercise this right, see 5500-R);
  • State and federal laws protect the confidentiality of students' personally identifiable information. Safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred;
  • A complete list of all student data elements collected by the State is available for public review on the New York State Education Department website or by writing to: Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234; and
  • Parents have the right to have complaints about possible breaches and unauthorized disclosures of student data addressed. Complaints should be directed to the Data Protection Officer, Canandaigua City School District, 143 North Pearl Street, Canandaigua, NY 14424 or by email to bowmand@canandaiguaschools.org or by telephone at 585-396-3700. Complaints can also be directed to the New York State Education Department online, by mail to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234 or by email to privacy@mail.nysed.gov or by telephone at 518-474-0937.

Addendum E

Parents' Bill of Rights - Supplemental Information Addendum

  1. EXCLUSIVE PURPOSES FOR DATA USE: The exclusive purposes for which "student data" or "teacher or principal data" (as those terms are defined in Education Law Section 2-d and collectively referred to as the "Confidential Data") will be used by (the "Vendor") are limited to the purposes authorized in the contract between the Vendor and the Canandaigua City School District (the "School District") dated (Effective Date) (the "Agreement").
  2. SUBCONTRACTOR OVERSIGHT DETAILS: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to, those outlined in applicable State and Federal laws and regulations (e.g., Family Educational Rights and Privacy Act ("FERPA"); Education Law § 2-d; 8 NYCRR § 121).
  3. VENDOR PRACTICES: The Agreement commences and expires on the dates set forth in the Agreement, unless earlier terminated or renewed pursuant to the terms of the Agreement. On or before the date the Agreement expires, protected data will be exported to the School District in digital format and/or destroyed by the Vendor as directed by the School District.
  4. DATA ACCURACY/CORRECTION PRACTICES: A parent or eligible student can challenge the accuracy of any "education record", as that term is defined in the FERPA, stored by the School District in a Vendor's product and/or service by following the School District's procedure for requesting the amendment of education records under the FERPA. Teachers and principals may be able to challenge the accuracy of APPR data stored by School District in Vendor's product and/or service by following the appeal procedure in the School District's APPR Plan. Unless otherwise required above or by other applicable law, challenges to the accuracy of the Confidential Data shall not be permitted.
  5. SECURITY PRACTICES: Confidential Data provided to Vendor by the School District will be stored (location). The measures that Vendor takes to protect Confidential Data will align with the NIST Cybersecurity Framework, including but not necessarily limited to, disk encryption, file encryption, firewalls, and password protection.
  6. ENCRYPTION PRACTICES: The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.