Common use of Schedule of Disposition Clause in Contracts

Schedule of Disposition. Data shall be disposed of by the following date: _ __ _ As soon as commercially practicable. _ __ _ By [ ] EXHIBIT “E” [Intentionally omitted] EXHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ International Standards Organization Information technology — Security techniques — Information security management xxxxxxx (XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) Center for Internet Security CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. Input control • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “G” – Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Version 1.1 (Revised March 2021) This Exhibit G, Supplemental SDPC State Terms for Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between Xxxxxx Community School District 2 (the “Local Education Agency” or “LEA”) and Blackboard Inc. (the “Provider”) is incorporated in theattached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe DPA) as follows:

Schedule of Disposition. Data shall be disposed of by the following date: _ __ _ As soon as commercially practicable. _ __ _ By [ ] EXHIBIT “E” [Intentionally omitted] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 September 7, 2023 xxxxxxx@xxxxxxxxxxxxxxx.xxx September 7, 2023 Xxxxx Xxxxxxxxxx Executive Vice President, CFO EXHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ X International Standards Organization (ISO) Information technology — Security techniques — Information security management xxxxxxx systems (XXX 00000 ISO 27000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. Input control • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “G” – Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Texas Version 1.1 (Revised March 2021) 1.0 This Exhibit “G”, Supplemental SDPC State Terms for Illinois Texas (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between Xxxxxx Community School District 2 [ NORTH EAST ISD ] (the “Local Education Agency” or “LEA”) and Blackboard Inc. [ Imagine Learning LLC ] (the “Provider”) ), is incorporated in theattached the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe to the DPA) as follows:

Schedule of Disposition. Data shall be disposed of by the following date: __ __ _ As soon as commercially practicable. __ __ _ By [ ] EXHIBIT “E” [Intentionally omitted] EXHIBIT E XHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ International Standards Organization Information technology — Security techniques — Information security management xxxxxxx (XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) Center for Internet Security CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management M anagement controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. Input control • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “G” – Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Version 1.1 (Revised March 2021) This Exhibit G, Supplemental SDPC State Terms for Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between Xxxxxx Community School District 2 (the “Local Education Agency” or “LEA”) and Blackboard Inc. (the “Provider”) is incorporated in theattached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe DPA) as follows:.

Schedule of Disposition. ☑_ Data shall be disposed of by the following date: _ __ _ As soon as commercially practicable. _ __ _ By [ ] EXHIBIT “E” [Intentionally omitted] EXHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ International Standards Organization Information technology — Security techniques — Information security management xxxxxxx (XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) Center for Internet Security CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. Input control • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “G” – Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Version 1.1 (Revised March 2021) This Exhibit G, Supplemental SDPC State Terms for Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between Xxxxxx Community School District 2 [NAME OF SCHOOL] (the “Local Education Agency” or “LEA”) and Blackboard Inc. (the “Provider”) is incorporated in theattached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe DPA) as follows:

Schedule of Disposition. Data shall be disposed of by the following date: _ __ __ As soon as commercially practicable. _ __ _ By [ ] EXHIBIT “E” [Intentionally omitted] EXHIBIT E XHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ International Standards Organization Information technology — Security techniques — Information security management xxxxxxx (XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) Center for Internet Security CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management controls • ● The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • ● The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • ● The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • ● The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • ● New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • ● Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • ● The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • ● The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • ● The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • ● The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • ● The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • ● The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • ● The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • ● The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • ● The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • ● The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • ● The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • ● The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • ● Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • ● The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • ● All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • ● The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • ● The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • ● The Provider encrypts Student Data while in transit over the internet. Input control • ● The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • ● The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • ● The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “G” – Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Version 1.1 (Revised March 2021) This Exhibit G, Supplemental SDPC State Terms for Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between Xxxxxx Community School District 2 [NAME OF SCHOOL] (the “Local Education Agency” or “LEA”) and Blackboard Inc. (the “Provider”) is incorporated in theattached the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe to the DPA) as follows:

Schedule of Disposition. Data shall be disposed of by the following date: _ __ __0_ As soon as commercially practicable. _ __ IT_ By [ ] EXHIBIT “E” [Intentionally omitted] I 1 4. Signature Authorized Representative of LEA Last Updated 2021-03-15 - New Illinois Exhibit G 06/07/2021 Date 06/07/2021 Date IL-NDPA v1 .Oa Page 16 of 23 EXHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) ✔ National Institute of Standards and Technology NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ International Standards Organization Information technology — Security techniques — Information security management xxxxxxx (XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) Center for Internet Security CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. Input control • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “"G” – " - Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Version 1.1 IL-NDPAv1.0a (Revised March 15, 2021) This Exhibit G, Supplemental SDPC State Terms for Illinois (“"Supplemental State Terms”"), effective simultaneously with the attached Student Data Privacy Agreement (“"DPA”") by and between Xxxxxx Community Lincolnshire-Prairie View School District 2 103 (the “"Local Education Agency” or “"LEA”") and Blackboard _ G_eneration_Genius, Inc. (the “"Provider”) "), is incorporated in theattached the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe to the DPA) as follows:

Schedule of Disposition. Data shall be disposed of by the following date: _ __ _ As soon as commercially practicable. _ __ _ By [ ] EXHIBIT “E” [Intentionally omitted] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: CA44B424-5759-451B-8BAD-24064F97BF37 EXHIBIT “F” DATA SECURITY REQUIREMENTS Adequate Cybersecurity Frameworks 2/24/2020 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 ✔ International Standards Organization (ISO) Information technology — Security techniques — Information security management xxxxxxx systems (XXX 00000 ISO 27000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. *Cybersecurity Principles used to choose the Cybersecurity Frameworks are located here Provider security measures The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. Admission control • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. Entry control • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. Access control • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. Transmission control • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. Input control • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. Order control • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. Availability control • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. EXHIBIT “G” – Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois Texas Version 1.1 (Revised March 2021) 1.0 This Exhibit “G”, Supplemental SDPC State Terms for Illinois Texas (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between Xxxxxx Community School District 2 [ NORTH EAST ISD ] (the “Local Education Agency” or “LEA”) and Blackboard Inc. [ Canva Pty Ltd ] (the “Provider”) ), is incorporated in theattached the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable tothe to the DPA) as follows: