CATCH GLOBAL FOUNDATION
DATA PRIVACY AGREEMENT (DPA)
WHEREAS, in order to provide the Services described in the Service Agreement, CATCH Global Foundation may receive or create and the LEA may provide documents or data that are covered by federal statutes, among them, the Federal Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. 1232g (34 CFR Part 99), Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6506, and Protection of Pupil
Rights Amendment (“PPRA”) 20 U.S.C. 1232h; and
NOW THEREFORE, for good and valuable consideration, the parties agree as follows:
ARTICLE I: DATA OWNERSHIP AND AUTHORIZED ACCESS
1. Ownership of Data. All Data transmitted to CATCH Global Foundation pursuant to the Service Agreement, including any copies, modifications or additions or any portion thereof from any source, are subject to the provisions of this DPA in the same manner as the original Data. The Parties agree that as between them, all rights, including all intellectual property rights in and to such Data contemplated per the Service Agreement shall remain the exclusive property of the LEA.
2. CATCH Global Foundation Materials. CATCH Global Foundation retains all right, title and interest in and to any and all of CATCH Global Foundation’s software, materials, tools, forms, documentation, training and implementation materials and intellectual property (“CATCH Global Foundation Materials”). CATCH Global Foundation grants to the LEA a personal, nonexclusive license to use CATCH Global Foundation Materials for its own non-commercial, incidental use as set forth in the Service Agreement and for the schools and the period subscribed by the LEA. CATCH Global Foundation represents that it has all intellectual property rights necessary to enter into and perform its obligations in this DPA and the Service Agreement, warrants to the District that the District will have use of any intellectual property contemplated by the Service Agreement free and clear of claims of any nature by any third Party including, without limitation, copyright or patent infringement claims, and agrees to indemnify the District for any related claims.
3. Data Portability. CATCH Global Foundation shall, at the request of the LEA, make Data available in a readily accessible format.
4. Third Party Request. Should a Third Party, including law enforcement or a government entity, contact CATCH Global Foundation with a request for data held by CATCH Global Foundation pursuant to the Services, CATCH Global Foundation shall
immediately (within 1 business day), and to the extent legally permitted, redirect the Third Party to request the data directly from the LEA, notify the LEA of the request, and provide a copy of the request to the LEA. Furthermore, if legally permissible, CATCH Global Foundation shall promptly notify the LEA of a subpoena compelling disclosure to a Third Party and provide a copy of the subpoena with sufficient time for the LEA to raise objections to the subpoena. CATCH Global Foundation will not use, disclose, compile, transfer, or sell the Data and/or any portion thereof to any third party or other entity or allow any other third party or other entity to use, disclose, compile, transfer or sell the Data and/or any portion thereof. Notwithstanding any provision of this DPA or Service Agreement to the contrary, CATCH Global Foundation understands that the LEA is subject to and will comply with the Texas Public Information Act (Chapter 552, Texas Government Code). CATCH Global Foundation understands and agrees that information, documentation and other material in connection with the DPA and Service Agreement may be subject to public disclosure.
5. No Unauthorized Use. CATCH Global Foundation shall use Data only for the purpose of fulfilling its duties and obligations under the Service Agreement and will not share Data with or disclose it to any Third Party without the prior written consent of the LEA, except as required by law or to fulfill its duties and obligations under the Service Agreement.
6. Subprocessors. CATCH Global Foundation shall either (1) enter into written agreements with all Subprocessors performing functions pursuant to the Service Agreement, such that the Subprocessors agree to protect Data in a manner the same as or better than as provided pursuant to the terms of this DPA, or (2) indemnify and hold harmless the LEA, its officers, agents, and employees from any and all claims, losses, suits, or liability including attorneys’ fees for damages or costs resulting from the acts or omissions of its Subprocessors. CATCH Global Foundation shall periodically conduct or review compliance monitoring and assessments of Subprocessors to determine their compliance with this DPA. Subprocessors shall agree to the provisions of the DPA regarding governing law, venue, and jurisdiction.
ARTICLE II: DATA PROVIDED BY LEA AND
DATA COLLECTED BY CATCH GLOBAL FOUNDATION
1. Data Provided by LEA. CATCH Global Foundation requires districts to provide the following data in order to properly provision licenses on the CATCH.org platform:
a. School Data:
1. School name
2. Grade levels served
3. Curriculum/resource licenses to be assigned
b. Teacher Data:
1. First and Last Name
2. Email address
5. Grade(s) taught
c. Miscellaneous, as applicable
1. Metadata required to provide Single Sign-On (SSO) services (e.g. School or Campus ID, etc.)
d. Student Data:
1. NO STUDENT DATA WHATSOEVER SHOULD BE PROVIDED TO CATCH GLOBAL FOUNDATION.
2. Data provided by Teachers. Communications with CATCH Global Foundation’s support team and/or comments on the Educators’ Club message boards may be submitted by teachers through the platform or via email. No sensitive/non-public information should be transmitted by teachers to CATCH Global Foundation in these communications. In the case that any sensitive information is transmitted, it shall be immediately removed from any message board and the District shall be notified.
3. Platform Usage Data Collected by CATCH Global Foundation. As part of usage monitoring, program improvements, and district reporting, CATCH Global Foundation collects the following user activity information during platform usage:
a. Login dates and times
b. Lessons/Resources viewed or downloaded
ARTICLE III: DUTIES OF CATCH GLOBAL FOUNDATION
1. Privacy Compliance. CATCH Global Foundation may receive Personally Identifiable Information (“PII”) from the LEA in the course of fulfilling its duties and obligations under the Service Agreement. CATCH Global Foundation shall comply with all applicable State and Federal laws and regulations pertaining to data privacy and security including FERPA, COPPA, PPRA, Texas Education Code Chapter 32, and all other Texas privacy statutes cited in this DPA.
2. Employee Obligation. CATCH Global Foundation shall require all employees and agents who have access to Data to comply with all applicable provisions of this DPA with respect to the data shared under the Service Agreement. CATCH Global Foundation agrees to require and maintain an appropriate confidentiality agreement from each employee or agent with access to Data pursuant to the Service Agreement.
3. De-identified Information. De-identified Information may be used by CATCH Global Foundation only for the purposes of development, product improvement, to demonstrate or market product effectiveness, or research as any other member of the public or party would be able to use de-identified data pursuant to 34 CFR 99.31(b). CATCH Global Foundation agrees not to attempt to re-identify De-identified Information and not to transfer De-identified Information to any party unless (a) that party agrees in writing not to attempt re-identification, and (b) prior written notice has been given to LEA who has provided prior written consent for such transfer. CATCH Global Foundation shall not copy, reproduce or transmit any De-identified Information or other Data obtained under the Service Agreement except as necessary to fulfill the Service Agreement.
4. Access To, Return, and Disposition of Data. Upon written request of LEA, CATCH Global Foundation shall dispose of or delete all Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained, within 180 days of the end of the Service Agreement or according to a schedule and procedure as the Parties may reasonably agree. CATCH Global Foundation acknowledges LEA’s obligations regarding retention of governmental data, and shall not destroy Data except as permitted by LEA. Nothing in the Service Agreement shall authorize CATCH Global Foundation to maintain Data obtained under the Service Agreement beyond the time period reasonably needed to complete the disposition. Disposition shall include (1) the shredding of any hard copies of any Data; (2) Data Destruction; or (3) Otherwise modifying the personal information in those records to make it unreadable or indecipherable. CATCH Global Foundation shall provide written notification to LEA when the Data has been disposed of. The duty to dispose of Data shall not extend to data that has been de-identified or placed in a separate Student account, pursuant to the other terms of the DPA. The LEA may employ a “Request for Return or Deletion of Data” FORM, a sample of this form is attached on Exhibit “D”). Upon receipt of a request from the LEA, CATCH Global Foundation will immediately provide the LEA with any specified portion of the Data within five (5) business days of receipt of said request.
5. Targeted Advertising Prohibition. CATCH Global Foundation is prohibited from using or selling Data to (a) market or advertise to students or families/guardians; (b) inform, influence, or enable marketing, advertising, or other commercial efforts by a third party; or (c) use the Data for the development of commercial products or services, other than as necessary to provide the Service to LEA. This section does not prohibit CATCH Global Foundation from generating legitimate personalized learning recommendations.
(di) Access to Data. CATCH Global Foundation shall make Data in the possession of CATCH Global Foundation available to the LEA within five (5) business days of a request by the LEA.
ARTICLE IV: DATA PROVISIONS
1. Data Security. CATCH Global Foundation agrees to abide by and maintain adequate data security measures, consistent with industry standards and technology best practices, to protect Data from unauthorized disclosure or acquisition by an unauthorized person. The general security duties of CATCH Global Foundation are set
forth below. These measures shall include, but are not limited to:
a. Passwords and Employee Access. CATCH Global Foundation shall secure usernames, passwords, and any other means of gaining access to the Services or to Data, at a level consistent with an industry standard agreed upon by LEA (e.g. suggested by Article 4.3 of NIST 800-63-3). CATCH Global Foundation shall only provide access to Data to employees or subprocessors that are performing the Services. Employees with access to Data shall have signed confidentiality agreements regarding said Data. All employees with access to Data shall pass criminal background checks.
b. Security Protocols. Both parties agree to maintain security protocols that meet industry best practices in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. CATCH Global Foundation shall maintain all data obtained or generated pursuant to the Service Agreement in a secure computer environment.
c. Employee Training. CATCH Global Foundation shall provide periodic security training to those of its employees who operate or have access to the system.
d. Security Technology. When the Services are accessed using a supported web browser, Secure Socket Layer (“SSL”) or equivalent technology shall be employed to protect data from unauthorized access. The service security measures shall include server authentication and data encryption in transit. CATCH Global Foundation shall host data pursuant to the Service Agreement in an environment using a firewall that is periodically updated according to industry standards.
f. Security Contact. CATCH Global Foundation shall provide the name and contact information of CATCH Global Foundation’s Security Contact to the LEA. The LEA may direct security concerns or questions to the Security Contact.
g. Periodic Risk Assessment. CATCH Global Foundation shall conduct periodic risk assessments and remediate any identified security and privacy vulnerabilities in a timely manner. Upon request, CATCH Global Foundation will provide the LEA an executive summary of the risk assessment or equivalent report and confirmation of remediation.
h. Backups. CATCH Global Foundation agrees to maintain backup copies, backed up at least daily, of Data in case of CATCH Global Foundation’s system failure or any other unforeseen event resulting in loss of any portion of Data.
i. Audits. Within 30 days of receiving a request from the LEA, and not to exceed one request per year, the LEA may audit the measures outlined in the DPA. CATCH Global Foundation will cooperate fully with the LEA and any local, state, or federal agency with oversight authority/jurisdiction in connection with any audit or investigation of CATCH Global Foundation and/or delivery of Services to students and/or LEA, and shall provide full access to CATCH Global Foundation’s facilities, staff, agents and LEA’s Data and all records pertaining to CATCH Global Foundation, LEA and delivery of Services to CATCH Global Foundation. Failure to cooperate shall be deemed a material breach of the DPA. The LEA may request an additional audit if a material concern is identified.
j. Incident Response. CATCH Global Foundation shall have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of any portion of Data, including PII, and agrees to provide LEA, upon request, an executive summary of the written incident response plan.
2. Data Breach. When CATCH Global Foundation reasonably suspects and/or becomes aware of an unauthorized disclosure or security breach concerning any Data covered by this Agreement, CATCH Global Foundation shall notify the District within 24 hours. CATCH Global Foundation shall take immediate steps to limit and mitigate the damage of such security breach to the greatest extent possible. If the incident involves criminal intent, then CATCH Global Foundation will follow direction from the Law Enforcement Agencies involved in the case.
a. The security breach notification to the LEA shall be written in plain language, and address the following
1. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
2. A description of the circumstances surrounding the disclosure or breach, including the actual or estimated time and date of the breach, and whether the notification was delayed as a result of a law enforcement investigation.
b. CATCH Global Foundation agrees to adhere to all requirements in applicable state and federal law with respect to a Data breach or disclosure, including any required responsibilities and procedures for notification or mitigation.
c. In the event of a breach or unauthorized disclosure, CATCH Global Foundation shall cooperate fully with the LEA, including, but not limited to providing appropriate notification to individuals impacted by the breach or disclosure. CATCH Global Foundation will reimburse the LEA in full for all costs incurred by the LEA in investigation and remediation of any Security Breach caused in whole or in part by CATCH Global Foundation or CATCH Global Foundation’s subprocessors, including but not limited to costs of providing notification and providing one year’s credit monitoring to affected individuals if PII exposed during the breach could be used to commit financial identity theft.
d. The LEA may immediately terminate the Service Agreement if the LEA determines CATCH Global Foundation has breached a material term of this DPA.
e. CATCH Global Foundation’s obligations under Section 7 shall survive termination of this DPA and Service Agreement until all Data has been returned and/or Securely Destroyed.
ARTICLE V: MISCELLANEOUS
1. Term. CATCH Global Foundation shall be bound by this DPA for the duration of the Service Agreement or so long as CATCH Global Foundation maintains any Data. Notwithstanding the foregoing, CATCH Global Foundation agrees to be bound by the terms and obligations of this DPA for no less than three (3) years.
2. Termination. In the event that either party seeks to terminate this DPA, they may do so by mutual written consent so long as the Service Agreement has lapsed or has been terminated.
3. Effect of Termination Survival. If the Service Agreement is terminated, CATCH Global Foundation shall dispose of all of LEA’s Data pursuant to Article III, section 4.
4. Notice. All notices or other communication required or permitted to be given hereunder must be in writing and given by personal delivery, facsimile or e-mail transmission (if contact information is provided for the specific mode of delivery), or first-class mail, postage prepaid, sent to the designated representatives.
5. Entire Agreement. This DPA constitutes the entire agreement of the parties relating to the subject matter and supersedes all prior communications, representations, or agreements, oral or written, by the Parties. This DPA may be amended and the observance of any provision of this DPA may be waived (either generally or in any particular instance and either retroactively or prospectively) only with the signed written consent of both parties. Neither failure nor delay on the part of any party in exercising any right, power, or privilege hereunder shall operate as a waiver of such right, nor shall any single or partial exercise of any such right, power, or privilege preclude any further exercise thereof or the exercise of any other right, power, or privilege.
6. Severability. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the
parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this DPA or affecting the validity or enforceability of such provision in any other jurisdiction.
7. Governing Law; Venue and Jurisdiction. THIS DPA WILL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF TEXAS, WITHOUT REGARD TO CONFLICTS OF LAW PRINCIPLES. EACH PARTY CONSENTS AND SUBMITS TO THE SOLE AND EXCLUSIVE JURISDICTION TO THE STATE AND FEDERAL COURTS FOR THE COUNTY IN WHICH THIS AGREEMENT IS FORMED FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS SERVICE AGREEMENT OR THE TRANSACTIONS CONTEMPLATED HEREBY.
8. Authority. CATCH Global Foundation represents that it is authorized to bind to the terms of this DPA, including confidentiality and destruction of Data and any portion thereof contained therein, all related or associated institutions, individuals, employees or contractors who may have access to the Data and/or any portion thereof, or may own, lease or control equipment or facilities of any kind where the Data and portion thereof is stored, maintained or used in any way.
9. Waiver. Waiver by any party to this DPA of any breach of any provision of this DPA or warranty of representation set forth herein shall not be construed as a waiver of any subsequent breach of the same or any other provision. The failure to exercise any right under this DPA shall not operate as a waiver of such right. All rights and remedies provided for in this DPA are cumulative. Nothing in this DPA shall be construed as a waiver or relinquishment of any governmental immunities or defenses on behalf
of the LEA, its trustees, officers, employees, and agents as a result of the execution of this DPA or performance of the functions or obligations described herein.
10. Assignment. The Parties may not assign their rights, duties, or obligations under this DPA, either in whole or in part, without the prior written consent of the other Party except that either party may assign any of its rights and obligations under this DPA without consent in connection with any merger (including without limitation by operation of law), consolidation, reorganization, or sale of all or substantially all of its related assets or similar transaction. This DPA inures to the benefit of and shall be binding on the Parties’ permitted assignees, transferees and successors.
HB 2087: The statutory designation for what is now Texas Education Code Chapter 32 relating to pupil records.
Data: Data shall include, but is not limited to, the following: student data, educational records, employee data, metadata, user content, course content, materials, and any and all data and information that the District (or any authorized end user(s)) uploads or enters through their use of the product. Data also specifically includes all personally
identifiable information in education records, directory data, and other non-public information for the purposes of Texas and Federal laws and regulations. Data as specified in Exhibit B is confirmed to be collected or processed by CATCH Global Foundation pursuant to the Services. Data shall not constitute that information that has been anonymized or de-identified, or anonymous usage data regarding a student’s use of CATCH Global Foundation’s services.
De-Identified Information (DII): De-Identified Information is Data subjected to a process by which any Personally Identifiable Information (“PII”) is removed or obscured in a way that eliminates the risk of disclosure of the identity of the individual or information about them, and cannot be reasonably re-identified.
Data Destruction: Provider shall certify to the District in writing that all copies of the Data stored in any manner by Provider have been returned to the District and permanently erased or destroyed using industry best practices to assure complete and permanent erasure or destruction. These industry best practices include, but are not limited to, ensuring that all files are completely overwritten and are unrecoverable. Industry best practices do not include simple file deletions or media high level formatting operations.
NIST 800-63-3: Draft National Institute of Standards and Technology (“NIST”) Special Publication 800-63-3 Digital Authentication Guideline.
Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” shall include, but are not limited to, Data, metadata, and user-generated content obtained by reason of the use of CATCH Global Foundation’s software, website, service, or app, including mobile apps, whether gathered by CATCH Global Foundation or provided by LEA or its users. PII includes Indirect Identifiers, which is any information that, either alone or in aggregate, would allow a reasonable person to be able to identify an individual to a reasonable certainty. For purposes of this DPA, Personally Identifiable Information shall include the categories of information listed in the definition of Data.
Subscribing LEA: A LEA that was not party to the original Services Agreement and who accepts CATCH Global Foundation’s General Offer of Privacy Terms.
Subprocessor: For the purposes of this Agreement, the term “Subprocessor” (sometimes referred to as the “Subcontractor”) means a party other than LEA or CATCH Global Foundation, who CATCH Global Foundation uses for data collection, analytics, storage, or other service to operate and/or improve its software, and who has access to PII.