top of page

Data Privacy Addendum

For School Districts
Between [District Name] (“Customer”) and Streamline by Better Speech (“Vendor”)
Effective Date:10/24/2025

 

1. Purpose

This Data Privacy Addendum (“Addendum”) is incorporated into the Software-as-a-Service (SaaS) Agreement for Educational Institutions (“Agreement”) between Customer and Vendor. Its purpose is to ensure that Vendor’s handling of Student Data and related records complies with federal, state, and local laws, including but not limited to FERPA, HIPAA, COPPA, IDEA, and applicable state student data privacy laws (e.g., SOPPA, NY Ed Law 2-d, CCPA/CPRA).

 

2. Definitions

  • Student Data: Any information directly related to an identifiable student that is maintained by the Customer and provided to Vendor in connection with services, including Personally Identifiable Information (PII) as defined under FERPA.
     

  • Protected Health Information (PHI): Individually identifiable health information, as defined under HIPAA, when applicable.
     

  • Education Records: As defined under FERPA, including any records, files, documents, and other materials that contain Student Data.
     

  • Confidential Information: All Student Data, PHI, and Customer data provided to Vendor.
     

  • Authorized Users: Customer employees, contractors, or other individuals authorized by Customer to access Streamline.
     

 

3. Compliance Obligations

Vendor agrees to:

  1. Act as a School Official under FERPA with a legitimate educational interest in Student Data.
     

  2. Protect all Student Data and PHI consistent with FERPA, HIPAA, COPPA, IDEA, and applicable state privacy laws. See Appendix A: State-Specific Data Privacy Provisions.
     

  3. Not use Student Data or PHI for targeted advertising, commercial gain, or purposes other than those expressly authorized by Customer.
     

  4. Enter into a Business Associate Agreement (BAA) with Customer or its service providers if HIPAA obligations apply.
     

 

4. Data Ownership and Control

  1. Ownership: All Student Data and PHI remain the property of and under the control of the Customer. Vendor has no independent ownership rights.
     

  2. Access & Use: Vendor will access, use, and process Student Data only for the purpose of providing services under the Agreement.
     

  3. Parental/Student Rights: Customer retains responsibility for responding to requests from parents or eligible students to access, amend, or delete Student Data. Vendor will assist Customer in fulfilling these obligations.
     

 

5. Data Security

Vendor will:

  1. Maintain administrative, technical, and physical safeguards consistent with industry standards (including SOC 2, ISO 27001, or NIST frameworks).
     

  2. Encrypt Student Data and PHI both in transit and at rest.
     

  3. Implement role-based access controls with least-privilege principles.
     

  4. Conduct background checks on personnel with access to Student Data.
     

  5. Maintain audit logs of access to Student Data and PHI.
     

 

6. Breach Notification

  1. Vendor will notify Customer of any actual or suspected Data Breach involving Student Data or PHI within 72 hours of discovery.
     

  2. Notification will include: nature of the breach, categories of data involved, number of records affected, remediation steps, and contact for follow-up.
     

  3. Vendor will cooperate with Customer in complying with all breach notification obligations under FERPA, HIPAA, and state law.
     

 

7. Subcontractors & Third Parties

  1. Vendor will not share Student Data or PHI with subcontractors or third parties without Customer’s prior written consent.
     

  2. Any approved subcontractor must be bound by written agreements imposing the same data privacy and security obligations as this Addendum.
     

 

8. Data Retention & Deletion

  1. Vendor will retain Student Data only for the period necessary to provide services, or as otherwise required by law.
     

  2. Upon termination of the Agreement or at Customer’s written request, Vendor will:
     

    • Return all Student Data to Customer in a secure, usable format, and
       

    • Permanently delete all copies from its systems within 30 days, unless retention is required by law.
       

  3. Vendor will provide written certification of deletion upon request.
     

 

9. Audit Rights

Customer or its designee may audit Vendor’s compliance with this Addendum upon reasonable notice, no more than once annually, unless required by law or following a Data Breach. Vendor will provide documentation of data security practices and allow inspection of relevant facilities and systems.

 

10. Data Localization & Transfers

Vendor will store and process Student Data and PHI within the United States unless otherwise authorized in writing by Customer. If cross-border transfers occur, Vendor will ensure compliance with applicable legal safeguards.

 

11. Indemnification

Vendor agrees to indemnify, defend, and hold harmless Customer, its officers, employees, and agents against claims, damages, or liabilities arising from Vendor’s breach of this Addendum, including costs associated with breach notifications, regulatory fines, and legal fees.

 

12. Term & Termination

This Addendum remains in effect as long as Vendor maintains Student Data on behalf of Customer. Termination of the Agreement does not relieve Vendor of its obligations with respect to Student Data already in its possession until deletion is certified.

 

13. Governing Law

This Addendum will be governed by the laws of the state in which the Customer is located, unless otherwise required by federal law.

 

14. Entire Agreement

This Addendum supersedes and replaces any inconsistent provisions in the Agreement concerning Student Data or PHI. In case of conflict, this Addendum controls.

 

Authorized Signatures

Customer
Signature: ______________________________
Name: __________________________________
Title: ___________________________________
Organization:_____________________________
Date: ___________________________________

Streamline by Better Speech
Signature: ______________________________
Name: __________________________________
Title: ___________________________________
Date: ___________________________________

 

Appendix A: State-Specific Data Privacy Provisions

This Appendix supplements the Data Privacy Addendum (“Addendum”) between [District Name] and Streamline by Better Speech (“Vendor”). Where applicable, the provisions below apply in addition to the Addendum.

 

1. Illinois – Student Online Personal Protection Act (SOPPA)

  • Vendor affirms compliance with 105 ILCS 85/1 et seq. (SOPPA).
     

  • Vendor will not engage in targeted advertising or use Student Data for commercial purposes.
     

  • Vendor will provide District with a list of all subcontractors with access to Student Data and will notify District within 60 days of any changes.
     

  • Vendor will publicly post its privacy policy and update it annually.
     

 

2. New York – Education Law 2-d

  • Vendor affirms compliance with NY Ed Law 2-d and Part 121 of the Commissioner’s Regulations.
     

  • Vendor will:
     

    • Provide a Data Security and Privacy Plan aligned with the NIST Cybersecurity Framework.
       

    • Encrypt all Student Data and PHI in transit and at rest.
       

    • Report any breach to District within 7 calendar days (in addition to the 72-hour general breach rule).
       

    • Not sell or disclose Student Data for marketing or commercial purposes.
       

 

3. California – Student Online Personal Information Protection Act (SOPIPA) & CCPA/CPRA

  • Vendor affirms compliance with California Business & Professions Code §22584 et seq. and CCPA/CPRA.
     

  • Vendor will not:
     

    • Engage in targeted advertising based on Student Data.
       

    • Create student profiles for non-educational purposes.
       

    • Sell or rent Student Data.
       

  • Vendor will support District in responding to California consumer privacy rights requests related to Student Data.
     

 

4. Colorado – Student Data Transparency and Security Act

  • Vendor affirms compliance with Colo. Rev. Stat. §22-16-101 et seq.
     

  • Vendor will disclose all subcontractors with access to Student Data and will post a data inventory.
     

  • Vendor will notify District of any data security incident within 48 hours.
     

  • Vendor will delete Student Data within 60 days of District’s request.
     

 

5. Connecticut – Public Act 16-189

  • Vendor affirms compliance with Conn. Gen. Stat. §§10-234aa to 10-234dd.
     

  • Vendor will include all required statutory terms in this Addendum, including data use limitations, breach notification, and deletion procedures.
     

  • Vendor will notify District and affected parties of any breach within 30 days.
     

 

6. Other States (Optional Placeholder)

Where District is located in another state with specific student privacy laws, Vendor agrees to incorporate required statutory language by amendment. Examples include:

  • Nevada (NRS 388.281 et seq.)
     

  • Virginia (Code §22.1-289.01)
     

  • Texas (TEC §26.0132, §38.301)
     

 

7. Priority of Terms

In the event of conflict between this Appendix and the Addendum, the more stringent obligation regarding Student Data or PHI shall govern.

 

Authorized Signatures

Customer
Signature: ______________________________
Name: __________________________________
Title: ___________________________________
Organization:_____________________________
Date: ___________________________________

Streamline by Better Speech
Signature: ______________________________
Name: __________________________________
Title: ___________________________________
Date: ___________________________________

bottom of page