This Student Data Privacy Addendum (“Addendum”) supplements the Terms of Service between Speakable Technologies, Inc. dba Speakable (“Provider”) and any Educational Institution customer (“Customer”) that makes the Speakable features and services (“Services”) available to students in an educational setting. Capitalized terms not defined in this Addendum have the meanings set out in the Provider's Terms of Service.

If the Provider and Customer have agreed in writing to separate terms reasonably equivalent to this Addendum, those terms will apply instead of this Addendum.

ARTICLE I: PURPOSE AND SCOPE

Purpose: This Addendum outlines the parties' obligations to protect Student Data, in compliance with all applicable privacy laws, including FERPA, PPRA, COPPA, and relevant state laws. Provider is considered a School Official under FERPA, acting under the direct control of the Customer.

Student Data Provided: Customer will provide Student Data as outlined in Exhibit A.

Definitions: Definitions are found in Exhibit B. These take precedence over any conflicting definitions in other documents.

ARTICLE II: DATA OWNERSHIP AND AUTHORIZED ACCESS

• Ownership: All Student Data remains the property of the Customer. Provider acknowledges all copies, including modifications, are subject to this Addendum.
• Parent Access: Provider will assist Customer in fulfilling legal requests from parents or eligible students to review or correct Student Data, within 45 days or as required by state law.
• Separate Account: Provider will allow transfer of student-generated content to student accounts upon request.
• Law Enforcement Requests: Provider will notify Customer before disclosing Student Data to law enforcement, unless prohibited.
• Subprocessors: Provider will bind subprocessors to data protection obligations consistent with this Addendum.

ARTICLE III: DUTIES OF CUSTOMER

• Provide Student Data in compliance with applicable privacy laws.
• List the Provider as a School Official in annual FERPA notifications.
• Take reasonable security precautions (e.g., securing passwords).
• Promptly notify Provider of unauthorized access and assist in incident response.

ARTICLE IV: DUTIES OF PROVIDER

• Comply with all applicable laws regarding Student Data.
• Use Student Data only for the Services described.
• Ensure all employees and subprocessors with access to Student Data are bound to confidentiality.
• No redisclosure of Student Data unless legally authorized or de-identified.
• Use De-Identified Data only for allowable purposes under FERPA and not re-identify it.
• Upon written request or termination, return or delete Student Data within 60 days, except De-Identified Data.
• Do not use Student Data for targeted advertising or profiling.

ARTICLE V: DATA PROVISIONS

• Storage: Where required, Student Data will be stored in the U.S. Provider will provide storage locations on request.
• Audits: Customer may audit Provider’s privacy/security practices annually or after a breach with 10 business days’ notice.
• Security: Provider will maintain administrative, technical, and physical safeguards.
• Data Breach: Provider must notify Customer within 72 hours of confirming a breach. Notification will include:
  • Contact person
  • Data types breached
  • Breach date or date range
  • Delay reason (if any)
  • General description of the breach
    Provider will also maintain a written incident response plan.

ARTICLE VI: MISCELLANEOUS

• Termination may occur by mutual consent or for breach. Provider must delete Student Data upon termination.
• This Addendum governs over other agreements concerning Student Data.
• This document, with exhibits, constitutes the entire agreement on student data privacy.
• Amendments and waivers must be in writing and signed by both parties.
• If a provision is unenforceable, the rest remains in effect.
• This Addendum is governed by the laws of the Customer’s state, unless otherwise agreed.
• Provider will notify Customer of any business changes and ensure successors assume this Addendum.
• Both parties represent that they are authorized to enter into this agreement.
• No delay or omission in enforcing rights shall be considered a waiver.

EXHIBIT B: DEFINITIONS

De-Identified Data and De-Identification: Records and information are de-identified when all personally identifiable information has been removed or obscured, such that the remaining information does not reasonably identify a specific individual.

Educational Records: Records directly related to a student and maintained by the school or LEA, including attendance, academic work, evaluations, and more.

Metadata: Information that provides meaning and context to other data (e.g., date/time created). Metadata without identifiers is not considered PII.

Operator: An entity operating a website, service, or app used for K–12 purposes and under agreement with a Customer.

Provider: A vendor of educational services, including digital storage or learning platforms.

Student-Generated Content: Content created by a student, such as essays, videos, photos, and account info.

School Official: A contractor under direct control of the educational agency and subject to FERPA limitations.

Service Agreement: Refers to the Terms of Service or similar agreement between Provider and Customer.

Student Data: Any data that describes a student, including personally identifiable and educational record information.

Subprocessor: A third party engaged by the Provider to assist with services and who may access Student Data.

Targeted Advertising: Ads based on Student Data or behavior. Contextual ads or those based on student request are not included.

‍