Data Security Program for WisdomK12

  1. Reporting. Upon request from Subscriber, WisdomK12 will provide any of the following: (i) a summary of all help desk calls; (ii) uptime and downtime metrics; and (iii) changes and utilization of Named User accounts.

  2. Notice of Updates. WisdomK12 will provide notice of impending updates as follows:

  3. Administrative Access by WisdomK12. WisdomK12 is responsible for the appropriate safeguarding of its internal user accounts and passwords used to access Subscriber Data. All WisdomK12 users, employees or contractors will have unique access credentials and no common credentials will be shared. WisdomK12 will regularly review and delete any unused user account information. WisdomK12 will provide records of such accounts upon request of Subscriber.

  4. Access to Subscriber Systems. To the extent that WisdomK12 requires access to Subscriber Systems, WisdomK12 will execute all necessary Subscriber agreements and policies regarding data security and confidentiality. 

  5. Ownership of Domain Names. In the event that WisdomK12 establishes top level domain names or accounts on behalf of Subscriber which include Subscriber’s name or other trade or service marks, all such domain names and accounts shall be solely owned by Subscriber for which WisdomK12 shall have no right to use except for the purpose of providing Services and shall not obtain domain name registrations on behalf of Subscriber without Subscriber’s prior written permission. Subscriber may also provide WisdomK12 with its own top level domain name for WisdomK12’s to use in conjunction with the Services. Subscriber agrees that it shall bear all responsibility, maintenance and costs for the registration and renewal of the domain name any required certificates.

  6. Service Continuity. WisdomK12 shall maintain commercially reasonable service continuity plans to ensure that the Services remain available consistent with established service level commitments, regardless of whether there is a disruption of WisdomK12’s primary data processing or telecommunications infrastructure. The service continuity plan shall be made available to Subscriber upon request. 

  7. Backups. WisdomK12 is responsible for performing backups of Subscriber Data and any system and application configurations necessary to provide the Services. Such backups shall be configured such that there shall be no loss of Subscriber Data in the event of a failure of the Services.

  8. Information Security. WisdomK12 shall implement administrative, physical and technical safeguards, with respect to all Services, necessary to secure its computers, applications, IT infrastructure, premises and Subscriber Data that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Subscriber Data is collected, accessed, used, stored, processed, disposed of and disclosed, comply with the terms and conditions of this Agreement. 

    • WisdomK12’s safeguards for the protection of Subscriber Data shall include, but are not limited to:

    • Limiting access of Subscriber Data to authorized persons.

    • Securing and encrypting (where applicable) business facilities, data centers, paper files, servers, back-up systems and computing equipment, including, but not limited to, thumb drives, mobile devices and other equipment with information storage capability.

    • Implementing network, device, application, database and platform security and securing information transmission, storage and disposal. All WisdomK12 workstations, laptops, servers and other systems and devices that access the Services will have a commercial third-party anti-malware software solution, including anti-virus, anti-spam, anti-hacker, anti-spyware capabilities, with a minimum daily automatic update. All such servers, workstations, laptops and other systems will have all applicable security patches applied to the operating system and system software. WisdomK12 will use role-based access controls for all user authentications, enforcing the principle of least privilege.

    • Implementing multi-factor authentication and access controls within media, applications, operating systems and equipment. Browser access to the Services will use cryptographic protocols such as Transport Layer Security (TLS) 1.2 or higher.

    • Encrypting Subscriber Data stored on any server or backup storage media using AES-256 or higher.

    • Encrypting Subscriber Data end to end transmitted over public or wireless networks.

    • All Subscriber Data will be wiped from systems and servers when the systems and servers are retired, and upon termination of this Agreement. The wipe method must conform to NIST Publication 800-88, as amended from time to time. 

    • Any remote access by WisdomK12 to Subscriber Data must be executed over an encrypted method using technology that does not allow Subscriber Data to be “cached,” saved or copied onto unencrypted remote computers or those with insufficient security controls.

  9. Compliance with Laws, Rules and Regulations. WisdomK12 shall provide the Services hereunder in full compliance with all applicable federal, state and local laws, industry rules and generally accepted industry standards at its own expense and within the mandated or commercially reasonable (if no time is mandated) time frames. For the purpose of clarity, such time frame may extend beyond the Term of the Agreement.

  10. Security Breach. A “Security Breach” means (i) any act or omission that compromises either the security, confidentiality or integrity of Subscriber Data or the physical, technical, administrative or organizational safeguards put in place by WisdomK12 (or any organization acting on behalf of WisdomK12) that relate to the security, confidentiality or integrity of Subscriber Data, or (ii) a loss or inappropriate disclosure of Subscriber Data. In the event of a Security Breach, WisdomK12 shall notify Subscriber of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after WisdomK12 becomes aware of it. Such notice shall include the scope of any possible or actual breach or loss of Subscriber Data. Promptly following WisdomK12’s notification to Subscriber of a Security Breach, WisdomK12 will provide Subscriber with the contact information for a primary security point of contact and shall be available to assist Subscriber outside of Business Hours. The Parties shall coordinate with each other to investigate and cooperate in handling of the Security Breach. Each Party shall make available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required. Except as required by applicable law, WisdomK12 agrees that it shall not inform any third party or the public that Subscriber Data has been involved in a Security Breach without first obtaining Subscriber’s prior written consent, other than to inform a complainant that the matter has been forwarded to Subscriber’s legal counsel.

    • In the event of a Security Breach, WisdomK12 will provide the following information to Subscriber with respect to all affected individuals relating to exposed Subscriber Data, to the extent available: (i) the identification of each individual, and the total number of individuals, whose information has been, or is reasonably believed by WisdomK12 to have been, accessed, acquired, used or disclosed during the Security Breach; (ii) a brief description of the event, including the root cause; (ii) the date of the event; (iii) the date of discovery of the event; (iv) a description of the types of Subscriber Data involved in the event; (v) the identity of the person(s) or entity(ies), and the total number of unauthorized persons, which made the unauthorized access or use, or that received the unauthorized disclosure (if known); and (vi) such other information as Subscriber may reasonably request. If necessary, WisdomK12 will provide Subscriber with any additional information pertaining to the Security Breach as it becomes available, making its best effort to do so. 

    • WisdomK12 shall use its best efforts to immediately remedy and mitigate any harmful effects of a Security Breach and shall promptly use reasonable efforts to prevent a recurrence of such Security Breach. WisdomK12 shall reimburse Subscriber for actual costs incurred by Subscriber in responding to, and mitigating damages caused by any Security Breach, including all costs of notice and/or remediation. WisdomK12 agrees to fully cooperate at its own expense with Subscriber in any litigation or other formal action deemed reasonably necessary by Subscriber to protect its rights relating to the use, disclosure, protection, availability and maintenance of Subscriber Data.

    • Following any Security Breach, WisdomK12 shall provide Subscriber with information regarding the steps that it has taken to prevent a recurrence of a Security Breach, provided that if Subscriber determines that such steps are not adequate, Subscriber may terminate this Agreement as a material breach.

  11. Material Breach. WisdomK12’s failure to comply with any of the provisions of this Exhibit and remedy the same after thirty (30) days’ written notice from Subscriber is a material breach of this Agreement.

  12. Employee Training. WisdomK12 shall annually provide appropriate privacy and information security training to WisdomK12’s staff and others that assist in providing Services.