Common use of Exhibits A and B Clause in Contracts

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 XXX and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” Amend Section 1 under Article I to read: Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data, including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. Amend Section 6 under Article IV to read: Disposition of Data. Upon written request from the LEA, Provider shall dispose of or provide a mechanism for the LEA to transfer Student Data obtained under the Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of this DPA, if no written request from the LEA is received, Provider shall dispose of all Student Data in accordance with Provider’s standard records retention periods after providing the LEA with reasonable prior notice, which notice may take the form of a banner or popup within the assessment platform, mass email, or substantially similar method of communication. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3. The LEA may employ a “Directive for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior to the disposition of Student Data described in Exhibit “D”. Amend Section 2 under Article V to read: Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the LEA to request a copy of the most recent third-party audit of the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA. The Provider will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach of the DPA. Amend Section 10 in EXHIBIT G to read: Reimbursement of Expenses Associated with Security Breach. In the event of a confirmed Security Breach that is attributable to the Provider’s willful or negligent acts or omissions, the Provider shall reimburse and indemnify the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security Breach, subject to the Providers limitation of liability set forth in the Terms of Use, including but not limited to costs and expenses associated with: a. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; b. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student’s credit or financial security; c. Legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the security breach; and d. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. Amend Section 11 in EXHIBIT G to read: Transfer or Deletion of Student Data. The Provider shall review, on an annual basis, whether the Student Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no longer needed for purposes of the DPA, the Provider must inform XXX by updating and providing LEA with a copy of Provider’s Privacy Policy and, upon receipt of XXX’s written instructions, delete such Student Data or transfer to the LEA such Student Data. The Provider shall effectuate such transfer or deletion of Student Data and provide written confirmation of said transfer or deletion to the LEA within thirty (30) calendar days of receiving the instructions. If the LEA receives a request from a parent, as that term is defined in 105 ILCS 10/2(g), that Student Data being held by the Provider be deleted, the LEA shall determine whether the requested deletion would violate State and/or federal records laws. In the event such deletion would not violate State or federal records laws, the LEA shall forward the request for deletion to the Provider. The Provider shall comply with the request and delete the Student Data within a reasonable time period after receiving the request. Any provision of Student Data to the LEA from the Provider shall be transmitted in a format readable by the LEA.

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 XXX LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” Amend Section 1 under Article I Exhibit F adds: Student information must be sent to read: Purpose of DPAProvider via secure connection. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data, including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. Amend Section 6 under Article IV to read: Disposition of Data. Upon written request from the LEA, Provider shall dispose of or provide a mechanism A representative for the LEA will be appointed to transfer train and enforce proper handling of information to prevent inappropriate access to or use of student data. Requirements for account creation as described at xxx.xxxxxxxxxxx.xxx/ privacy in the Extra Information for Student Data obtained Users section and for data deletion under the Service Agreement, Data Retention section are required for services provided within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of this DPA, if no written request from the LEA is received, Provider shall dispose of all Student Data in accordance with Provider’s standard records retention periods after providing the LEA with reasonable prior notice, which notice may take the form of a banner or popup within the assessment platform, mass email, or substantially similar method of communication. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3Exhibit G numbers 11 and 13 for our proposed modifications. The LEA may employ a “Directive for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior to the disposition of Student Data described in Exhibit “D”. Amend Section 2 under Article V to read: Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the LEA to request a copy of the most recent third-party audit of the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA. The Provider will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach of the DPA. Amend Section 10 in EXHIBIT G to read: Reimbursement of Expenses Associated with Security Breach. In the event of a confirmed Security Breach that is attributable to the Provider’s willful or negligent acts or omissions, the Provider shall reimburse and indemnify the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security Breach, subject to the Providers limitation of liability set forth in the Terms of Use, including but not limited to costs and expenses associated with: a. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; b. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student’s credit or financial security; c. Legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the security breach; and d. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. Amend Section #11 in EXHIBIT G to read: Transfer or Deletion of Student Data. - Remove - The Provider shall review, on an annual basis, whether the Student theStudent Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no longer needed for purposes of the DPA, the Provider must inform XXX by updating and providing LEA with a copy of Provider’s Privacy Policy and, upon receipt of XXX’s written instructions, delete such unnecessary Student Data or transfer to the LEA such unnecessary Student Data. The Provider shall effectuate such transfer or deletion of Student Data and provide written confirmation of said transfer or deletion to the LEA within thirty (30) calendar days of receiving the instructions. If the LEA receives a request from a parent, as operator becoming aware that term is defined in 105 ILCS 10/2(g), that Student Data being held by the Provider be deleted, the LEA shall determine whether the requested deletion would violate State and/or federal records laws. In the event such deletion would not violate State or federal records laws, the LEA shall forward the request for deletion to the Provider. The Provider shall comply with the request and delete the Student Data within a reasonable time period after receiving is no longer needed for purposes of the requestDPA. Any provision of #11 Add - Student Data can be evaluated and deleted upon written request from the LEA to xxxxxxx@xxxxxxxxxxx.xxx - data will be deleted upon request or 10 years after the expiration of the contract, whichever comes first. Termination of data only applies to premium user data. Users that are on a free plan or moved to a free plan will not be eligible for deletion. #13 - Remove - By no later than (5) business days after the date of execution of the DPA, theProvider shall provide the LEA with a list of any subcontractors to whom Student Data may be disclosed or a link to a page on the Provider’s website that clearly lists any and all subcontractors to whom Student Data may be disclosed. This list shall, at a minimum, be updated and provided to the LEA from the Provider shall be transmitted in a format readable by the LEAbeginning of each fiscal year (July 1) and at the beginning of each calendar year (January 1).

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. Last Updated 2021-03-15 - New Illinois Exhibit G IL-NDPA v1.0a Page 22 of 23 EXHIBIT “"H” " Additional Terms or Modifications Version 1 XXX 1.0 LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “"None.” Amend Section 1 under Article I " 618-1/4715859.1 Art. IV § 3 Provider wishes to read: Purpose clarify that Provider shall require all of DPA. The purpose of this DPA is Provider's employees and agents who have access to describe the duties and responsibilities Student Data to agree to protect Student Data, including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, Data in a manner no less stringent than the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. Amend Section 6 under Article IV to read: Disposition of Data. Upon written request from the LEA, Provider shall dispose of or provide a mechanism for the LEA to transfer Student Data obtained under the Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination terms of this DPA, if no written request from . Provider accepts responsibility for the LEA is received, Provider shall dispose actions of all Student Data such employees and agents. Art. IV § 5 Notwithstanding Art. IV § 5, Amplify may use and share with agents, partners, and researchers non-personally identifiable information collected hereunder, including data that has been de-identified in accordance with Provider’s standard records retention periods after providing FERPA and applicable laws, for legitimate educational purposes and may distribute findings, analysis and reports based upon such non-PII data. The language ", and (b) prior written notice has been given to the LEA with reasonable who has provided prior notice, which notice may take the form of a banner or popup within the assessment platform, mass email, or substantially similar method of communication. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3. The LEA may employ a “Directive written consent for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior to the disposition of Student Data described in Exhibit “D”. Amend Section 2 under Article V to read: Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow the LEA to request a copy of the most recent third-party audit of the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA. The Provider will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate such transfer" shall be deemed a material breach of the DPAstruck from such section. Amend Section 10 in EXHIBIT Exhibit G to read: §10. Reimbursement of Expenses Associated with Security Breach. In the event of a confirmed Security Breach that is attributable to the Provider’s willful or negligent acts or omissions, the Provider Amplify shall reimburse and indemnify the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security BreachBreach to the extent such Security Breach was attributable to Amplify. Amplify will indemnify and hold the LEA harmless from third party claims of the nature set forth in this section. Amplify wishes to clarify that Amplify will be responsible for, and will bear, all notification related costs arising out of or in connection with the Security Incident, subject to the Providers limitation any limitations of liability set forth terms contained in the Terms of Useapplicable agreement. For clarity and without limitation, including but Amplify will not limited be responsible for costs associated with voluntary notification which is not legally required. With respect to costs and expenses associated with: a. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; b. Providing credit monitoring to those students whose Student Data was exposed in a manner during the any Security Breach that a reasonable person would believe may impact which is not due to acts or omissions of Amplify or its agents, Amplify will reasonably cooperate in performing the student’s credit or financial security; c. Legal feesactivities described above, audit costs, fines, and any other fees or damages imposed against as the LEA as a result of the security breach; and d. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. Amend Section 11 in EXHIBIT G to read: Transfer or Deletion of Student Data. The Provider shall reviewrequests, on an annual basis, whether the Student Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no longer needed for purposes of the DPA, the Provider must inform XXX by updating and providing LEA with a copy of Provider’s Privacy Policy and, upon receipt of XXX’s written instructions, delete such Student Data or transfer to the LEA such Student Data. The Provider shall effectuate such transfer or deletion of Student Data and provide written confirmation of said transfer or deletion to the LEA within thirty (30) calendar days of receiving the instructions. If the LEA receives a request from a parent, as that term is defined in 105 ILCS 10/2(g), that Student Data being held by the Provider be deleted, the LEA shall determine whether the requested deletion would violate State and/or federal records laws. In the event such deletion would not violate State or federal records laws, the LEA shall forward the request for deletion to the Provider. The Provider shall comply with the request and delete the Student Data within a reasonable time period after receiving the request. Any provision of Student Data to the LEA from the Provider shall be transmitted in a format readable by at the LEA’s reasonable expense.

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 XXX LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” Amend Section 1 under Article I V, s 2 Audits to readbe deleted in it's entirety and replaced with: Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data, including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. Amend Section 6 under Article IV to read: Disposition of Data. Upon written request from the LEA, Provider shall dispose of or provide a mechanism for the LEA to transfer Student Data obtained under the Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of this DPA, if no written request from the LEA is received, Provider shall dispose of all Student Data in accordance with Provider’s standard records retention periods after providing the LEA with reasonable prior notice, which notice may take the form of a banner or popup within the assessment platform, mass email, or substantially similar method of communication. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3. The LEA may employ a “Directive for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior to the disposition of Student Data described in Exhibit “D”. Amend Section 2 under Article V to read: Audits. 'No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten thirty (1030) business days’ ' notice and upon the execution of an appropriate confidentiality agreement, the Provider will allow and the LEA will agree on an independent third party to request a copy of the most recent third-party audit of the security and privacy measures that are in place to ensure protection of Student Data or any portion thereof as it pertains to the delivery of services to the LEA. The Provider will be responsible for all costs associated with the third-party audit. The Provider will cooperate reasonably with the LEA and any local, state, or federal agency with oversight authority or jurisdiction in connection with any independent third party conducting the audit or investigation of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s 's facilities, staff, staff agents and LEA’s 's Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach The last sentence of the DPA. Amend Section 10 first paragraph of Exhibit G, s 11 to be deleted in EXHIBIT G to readits entirety and replaced with: Reimbursement “Upon termination of Expenses Associated with Security Breach. In the event of a confirmed Security Breach that is attributable to Service Agreement between the Provider’s willful or negligent acts or omissionsProvider and LEA, the Provider shall reimburse and indemnify the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security Breach, subject to the Providers limitation of liability set forth in the Terms of Use, including but not limited to costs and expenses associated with: a. Providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; b. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student’s credit or financial security; c. Legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result of the security breach; and d. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. Amend Section 11 in EXHIBIT G to read: Transfer or Deletion of Student Data. The Provider shall review, on an annual basis, whether the Student Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no longer needed for purposes of the DPA, the Provider must inform XXX by updating and providing LEA with a copy of Provider’s Privacy Policy and, upon receipt of XXX’s written instructions, will delete such Student Data or transfer to the LEA such Student Data. The Provider shall effectuate such transfer or deletion of all remaining Student Data and provide written confirmation of said transfer or deletion to in the LEA Provider’s possession, as directed by the LEA, within thirty (30) 60 calendar days of receiving the instructionstermination. If the LEA receives a request from a parent, as that term is defined in 105 ILCS 10/2(g), that Student Data being held by the Provider be deleted, the LEA shall determine whether the requested deletion would violate State and/or federal records laws. In the event such deletion would not violate State or federal records laws, the LEA shall forward the request for deletion to the Provider. The Provider shall comply with the request and delete the Student Data within a reasonable time period after receiving the request. Any provision of Student Data to the LEA from the Provider shall be transmitted in a format readable by the LEA.R E F E R E N C E N U M B E R 91E32FF 5-535F-4529-BC47-CE511D25BE0F S I G N AT U R E C E RT I F I C AT E TRANSACTION DETAILS DOCUMENT DETAILS Reference Number 91E32FF5-535F-4529-BC47-CE511D25BE0F Transaction Type Signature Request Sent At 04/30/2021 09:57 EDT Executed At 04/30/2021 10:28 EDT Identity Method email Distribution Method email Signed Checksum Document Name Il Ndpa V1a Turnitin Cusd50 Final 2 Filename il_ndpa_v1a_turnitin_cusd50_final_2_.pdf Pages 23 pages Content Type application/pdf File Size

Exhibits A and B. The Services described in Exhibit A and the Schedule of Data in Exhibit B to the DPA satisfy the requirements in SOPPA to include a statement of the product or service being provided to the school by the Provider and a listing of the categories or types of covered information to be provided to the Provider, respectively. EXHIBIT “H” Additional Terms or Modifications Version 1 XXX LEA and Provider agree to the following additional terms and modifications: This is a free text field that the parties can use to add or modify terms in or to the DPA. If there are no additional or modified terms, this field should read “None.” Amend Section 1 under The following text is appended to Article I to readII, section 5: Purpose of DPA. The purpose of this DPA is to describe "Notwithstanding the duties and responsibilities to protect Student Data, including compliance with all applicable federal, state, and local privacy laws, rules, and regulations, all as may be amended from time to time. In performing these services, the Provider shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. Provider shall be under the direct control and supervision of the LEA, with respect to its use of Student Data. Amend Section 6 under Article IV to read: Disposition of Data. Upon written request from the LEAforegoing, Provider shall dispose have no obligation to enter into any such agreements and shall not be responsible for any third parties, including but not limited to educational service centers, to which LEA transmits Student Data or contracts with for services outside of or provide a mechanism for the scope of the Services provided by Provider." The following text is added to Article IV, section 6: "Provider requires that the LEA to transfer Student Data obtained under the Service Agreement, within sixty (60) days of the date of said request and according to a schedule and procedure as the Parties may reasonably agree. Upon termination of this DPA, if no written request from the LEA is received, Provider shall dispose of all not provide Student Data in accordance with Provider’s standard records retention periods after providing the LEA with reasonable prior notice, which notice may take the form of a banner or popup within the assessment platform, mass email, or substantially similar method of communication. The duty to dispose of Student Data shall not extend to Student Data that had been De-Identified or placed in a separate student account pursuant to section II 3. The LEA may employ a “Directive for Disposition of Data” form, a copy of which is attached hereto as Exhibit “D”. If the LEA and Provider employ Exhibit “D,” no further written request or notice is required on the part of either party prior emails sent by its employees to the disposition of Student Data described in Exhibit “D”. Amend Section Provider." Article V, section 2 under Article V to readis changed as follows: Audits. No more than once a year, or following unauthorized access, upon receipt of a written request from the LEA with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, the "Provider will allow the LEA to request a copy of the most recent third-party audit of the security and privacy measures that are in place place" is changed to ensure protection of Student Data or any portion thereof as it pertains "Provider will allow the LEA to audit the summary security and privacy measures that are in place" Article V, section 4 has the following text added to the delivery end of services the first paragraph: "when compromise was caused by the Provider:" Exhibit C, Definitions "Service Agreement: Refers to the LEA. The Provider will cooperate reasonably with the LEA and any localContract, state, Purchase Order or federal agency with oversight authority Terms of Service or jurisdiction in connection with any audit or investigation of the Provider and/or delivery of Services to students and/or LEA, and shall provide reasonable access to the Provider’s facilities, staff, agents and LEA’s Student Data and all records pertaining to the Provider, LEA and delivery of Services to the LEA. Failure to reasonably cooperate shall be deemed a material breach of the DPA. Amend Section 10 in EXHIBIT G to read: Reimbursement of Expenses Associated with Security Breach. In the event of a confirmed Security Breach that is attributable to the Provider’s willful or negligent acts or omissions, the Provider shall reimburse and indemnify the LEA for any and all costs and expenses that the LEA incurs in investigating and remediating the Security Breach, subject to the Providers limitation of liability set forth in the Terms of Use, including but not limited ." is changed to costs and expenses associated with"Service Agreement: a. Providing notification Refers to the parents Provider and LEA Contract, Purchase Order or Terms of those students whose Student Data was compromised and regulatory agencies Service or other entities as required by law or contract; b. Providing credit monitoring to those students whose Student Data was exposed in a manner during the Security Breach that a reasonable person would believe may impact the student’s credit or financial security; c. Legal fees, audit costs, fines, and any other fees or damages imposed against the LEA as a result Terms of the security breach; and d. Providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws. Amend Section 11 in EXHIBIT G to read: Transfer or Deletion of Student Data. The Provider shall review, on an annual basis, whether the Student Data it has received pursuant to the DPA continues to be needed for the purpose(s) of the DPA. If any of the Student Data is no longer needed for purposes of the DPA, the Provider must inform XXX by updating and providing LEA with a copy of Provider’s Privacy Policy and, upon receipt of XXX’s written instructions, delete such Student Data or transfer to the LEA such Student Data. The Provider shall effectuate such transfer or deletion of Student Data and provide written confirmation of said transfer or deletion to the LEA within thirty (30) calendar days of receiving the instructions. If the LEA receives a request from a parent, as that term is defined in 105 ILCS 10/2(g), that Student Data being held by the Provider be deleted, the LEA shall determine whether the requested deletion would violate State and/or federal records laws. In the event such deletion would not violate State or federal records laws, the LEA shall forward the request for deletion to the Provider. The Provider shall comply with the request and delete the Student Data within a reasonable time period after receiving the request. Any provision of Student Data to the LEA from the Provider shall be transmitted in a format readable by the LEAUse."