GCPS Privacy & Security Terms
Gwinnett County Public Schools ("GCPS") and Remedy Apps, LLC ("Contractor") (each referred to herein as a "Party," and collectively as the "Parties") hereby agree to the following Privacy and Security terms (these "Terms") in connection with Contractor's provision of products and/or services to GCPS and its schools. If there is any inconsistency between these Terms and the Parties' other agreements or the Contractor's standard terms or conditions or privacy policies or practices that otherwise govern the Parties' relationship and/or Contractor's goods or services (collectively, the "Agreements"), the Parties agree that these Terms shall control. The Parties agree that these Terms are hereby incorporated into any agreement entered into at any time by and between the Parties, whether such agreement is entered into before, on, or after the date hereof.
1. Definitions
a. "AI" means artificial intelligence.
b. "AI Model" means any artificial intelligence model (which includes, without limitation, any deep learning or machine learning model) used by or incorporated into the Services (as defined below). AI Models are deemed to be part of the Services for purposes of these Terms.
c. "Contractor Personnel" means all persons or entities furnished or engaged by Contractor to assist in performing the Services (as defined herein), including officers, employees, representatives, and agents of Contractor, Contractor's affiliates, and Contractor's subcontractors.
d. "Confidential Information" means (i) any information concerning GCPS or its schools (regardless of whether such information is specifically identified as "confidential" and irrespective of the form of communication and in whatever form maintained, whether documentary, computerized or otherwise) that is furnished to Contractor or Contractor Personnel by or on behalf of GCPS or its representatives or agents before, on or after the date hereof, (ii) Education Records, (iii) Protected Data, and (iv) any analyses, summaries, notes, compilations, studies, emails, electronic files or other materials prepared by Contractor or Contractor Personnel that contain or otherwise reflect such information, Educational Records or Protected Data. The term "Confidential Information" does not include information that is or becomes generally available to the public other than as a result of a disclosure by Contractor or Contractor Personnel in violation of the Agreements or these Terms.
e. "De-identified Information" means Protected Data from which all direct and indirect identifiers have been permanently and irrevocably removed so that the information cannot personally identify an individual, even when taking into account other reasonably available information.
f. "Disclose" means to permit access to or the release, transfer, or other communication by any means, including oral, written, or electronic means, to any person or entity except the person or entity identified as the person or entity that provided or created the record.
g. "Education Records" means records that are directly related to a student and maintained by GCPS or by a party acting on behalf of GCPS. Education Records do not include records created or received by GCPS after an individual is no longer a student in attendance at GCPS or that are not directly related to the individual's attendance as a student at GCPS.
h. "GCPS Training Data" means any Protected Data or Confidential Information sourced by or on behalf of Contractor or Contractor Personnel that is used by train, fine-tune, validate, customize, test or improve an AI Model.
i. "Law" means any and all current and future foreign or U.S. federal, state or local statute, law (including common law), ordinance, rule, regulation, injunction, treaty, restriction, approval, directive, binding statutory guidance, regulatory code of practice, permit, or order, or term or condition of any of the foregoing, or any other binding action or other requirement of any governmental authority.
j. "Model Improvements" means any incremental improvements, enhancements or other modifications to an AI Model by or on behalf of GCPS, Contractor or Contractor Personnel as a result of having been fine-tuned on or behalf of GCPS, Contractors or Contractor Personnel.
k. "Output" means the results (whether Protected Data, Confidential Information, text, materials, images or other content) generated by an AI Model. Subject to the express provisions of these Terms, Output is deemed to be part of the AI Model.
l. "Prompts" means Protected Data, Confidential Information, text, materials, images and other content submitted or otherwise input into an AI Model in order to generate Output.
m. "Protected Data" means any information that can personally identify an individual or is otherwise protected by Law that Contractor collects or has access to in connection with providing the Services. Protected Data includes, but is not limited to, information created or provided by GCPS, a student or a student's parent or guardian in connection with the Services, direct or indirect identifiers, metadata, or any other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person to identify the student with reasonable certainty. Protected Data does not include De-identified Information.
n. "Security Incident" means the occurrence of: (i) any act or omission that directly or indirectly leads to the compromise of the confidentiality, integrity, or availability of Protected Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor, or put in place by GCPS should Contractor have access to GCPS's systems, that relate to the protection of the confidentiality, integrity, or availability of Protected Data; or (ii) the receipt of an allegation or complaint that Protected Data or systems housing Protected Data have been compromised or that Contractor has breached or otherwise failed to comply with these Terms. A "Security Incident" includes, but is not limited to, for example: a physical trespass on a secure facility in which Protected Data is maintained; intrusion or hacking into Contractor's or Contractor Personnel's networks, systems, or premises on which Protected Data is maintained; loss or theft of a computer, mobile device, hard drive, other information storage device, or printed materials that contain Protected Data; a potential or actual use, misuse, acquisition, compromise, loss, destruction, alteration, or disclosure of, or unauthorized access to, Protected Data; or any circumstance pursuant to which applicable Law requires notification of such incident to be given to affected parties or other activity in response to such circumstance.
o. "Services" means providing GCPS with an organized volunteer hour tracking platform application. All efforts will be performed on behalf of GCPS as a school official with a legitimate educational interest in Education Records.
p. "Training Data" means any data or information sourced by or on behalf of Contractor or Contractor Personnel that is used by train, validate, customize, test or improve an AI Model.
2. Protected Data License
The Parties agree that all rights, including intellectual property rights, in Protected Data shall remain the exclusive property of GCPS. Contractor has a limited, nonexclusive license to use Protected Data solely for the purpose of performing the Services, as permitted by these Terms, or otherwise with the express written consent of GCPS. These Terms do not give Contractor any rights, implied or otherwise, to Protected Data, except as expressly stated in these Terms.
3. Standard of Care; Confidentiality
Contractor shall maintain the confidentiality of Confidential Information using the same degree of care as Contractor employs in maintaining in confidence Contractor's own proprietary and confidential information of a like nature but in no event using less than a reasonable degree of care. Contractor is fully responsible for any authorized or unauthorized collection, storage, disclosure, disposal and use of, and access to, Confidential Information by Contractor Personnel. Contractor shall, and shall ensure that Contractor Personnel, implement and maintain all commercially-reasonable administrative, physical, and technical safeguards, as well as any additional requirements set forth in these Terms or otherwise agreed upon in writing by the Parties that prevent any unauthorized collection, storage, disclosure, disposal, and use of, and access to, Confidential Information.
4. Contractor Personnel
Contractor may rely on Contractor Personnel to perform the Services, provided that Contractor shall require all Contractor Personnel with access to Protected Data to agree in writing to comply with these Terms, including agreeing to maintain the confidentiality of Confidential Information, and, in the case of subcontractors, to place the same restrictions outlined herein (including, but not limited to, with respect to Confidential Information) on their own subcontractors. Any breach of these Terms by Contractor Personnel shall be deemed a breach of these Terms by Contractor. Contractor shall train Contractor Personnel on the proper handling of Protected Data in accordance with these Terms and applicable Law.
5. Restrictions on Contractor's Receipt, Use, and Disclosure of Confidential Information
a. Contractor shall access and collect Protected Data only to the extent necessary to perform the Services.
b. Contractor shall not disclose Confidential Information to any other person or entity without the prior written consent of GCPS, except: (i) to Contractor Personnel, but only to the extent necessary to perform the Services and on the condition that the Confidential Information shall be used only for the purposes for which the disclosure was made; (ii) to eligible students, and their respective parents or guardians, in accordance with the Family Educational Rights and Privacy Act ("FERPA"), on the condition that Contractor uses reasonable methods to identify and authenticate the identity of the parent, guardian, or eligible student prior to any such disclosure; or (iii) in connection with the sale of all of the shares of Contractor to a third party, the sale of all or substantially all of the assets of Contractor to a third party, or the merger of Contractor with a third party, but only if such acquiror or successor agrees in writing to be subject to and bound by these Terms.
c. Contractor shall maintain the confidentiality of Confidential Information and shall treat it in accordance with these Terms and applicable Law.
d. Except as necessary to perform the Services or as otherwise expressly authorized in writing by GCPS, Contractor shall not: (i) rent, sublicense, transfer, disclose, use or grant any rights in, or share or provide access to, Confidential Information, in any form; (ii) provide, process, transmit, or store any Confidential Information in an unsecured form; (iii) disclose, market, or provide any reports or other analyses based on, derived from or incorporating any Confidential Information to any third parties; (iv) collect, store, use or share any information or data in a way that allows any natural person to be identified; (v) collect, use, combine, aggregate or commingle any information or data regarding any natural persons and/or their activities or behavior; (vi) disclose Confidential Information to other entities or individuals in any manner that would readily identify GCPS's methods, techniques, scope or scale of Protected Data collection; (vii) sell or otherwise commercially exploit, or permit the sale or commercial exploitation of, Confidential Information, or provide Confidential Information, directly or indirectly, to any third party for commercial gain or for a commercial purpose; or (viii) use Confidential Information to create profiles of students or to target students, parents, or guardians with advertising.
6. Additional Requirements
a. GCPS has the right to request in writing that Contractor disclose Protected Data to a third party on its behalf, including pursuant to a judicial order or lawfully-issued subpoena. If Contractor discloses Protected Data on GCPS's behalf pursuant to a judicial order or lawfully-issued subpoena, Contractor must, upon written request by GCPS, make a reasonable effort to notify the parent, guardian, or eligible student of the order or subpoena in advance so that the parent, guardian, or eligible student may seek protective action, unless the disclosure is in compliance with (i) a federal grand jury subpoena or any other subpoena issued for a law enforcement purpose if the court or other issuing agency has ordered that the existence or the contents of the subpoena or the information furnished in response to the subpoena not be disclosed; or (ii) an ex parte court order obtained by the United States Attorney General (or designee not lower than an Assistant Attorney General) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism as defined in 18 U.S.C. 2331.
b. If Contractor is subject to the Children's Online Privacy Protection Act ("COPPA"), Contractor shall promptly provide to GCPS, upon written request from GCPS: (i) the required notices under COPPA that detail Contractor's collection, use, and disclosure practices; (ii) a description of the types of personal information covered by COPPA that Contractor collects; (iii) an opportunity for GCPS to review students' personal information and/or have the personal information deleted; and (iv) the opportunity to prevent further use or online collection of a student's personal information.
c. Upon the written request of GCPS, Contractor shall promptly provide GCPS with access to any Protected Data maintained by or at the direction of Contractor to support GCPS's compliance with any request for access to Education Records within forty-five (45) days of GCPS receiving such request for access in accordance with FERPA.
d. Contractor shall use reasonable methods to identify and authenticate the identity of any person to whom Contractor discloses Protected Data pursuant to and as permitted by these Terms, including Contractor Personnel.
e. GCPS must exercise direct control over Contractor's use and maintenance of Protected Data. Contractor shall collect, maintain, use, and obtain access to only the Protected Data and the Education Records in which Contractor has a legitimate educational interest. Contractor further agrees to collect, maintain, use, and obtain access to Protected Data for the sole purpose of performing the Services.
7. Required Disclosure
Nothing in these Terms shall restrict use, disclosure, or retention of Confidential Information to the extent required by applicable Law, an order of a court of competent jurisdiction, law enforcement or administrative agency, or a subpoena, or as would be required for Contractor to defend itself in a legal dispute related to these Terms. In the event Contractor is required to disclose any Confidential Information, Contractor shall promptly notify GCPS prior to such disclosure, so that GCPS has a reasonable opportunity to seek a protective order or other legal or equitable remedies that may be available to protect the confidentiality of such Confidential Information.
8. Artificial Intelligence
Contractor may not use any AI Model in connection with providing Services to GCPS without GCPS's prior written consent. If an AI Model is used in any way by Contractor, then the following terms of this Section 8 shall apply.
a. Neither Contractor, Contractor Personnel, nor the AI Model may use Prompts, Output, Protected Data, or Confidential Information to customize, train, or otherwise improve any artificial intelligence or large language model (including the AI Model itself) without GCPS's prior written consent. Any such prior written consent shall only be effective if set forth in a separate addendum ("Addendum") to these Terms that addresses such activities.
b. As between the parties, GCPS owns and retains all right, title and interest in the Prompts. Contractor may only use the Prompts as necessary in order to provide the AI Model or related Services to GCPS under the applicable Addendum. As between the Parties, GCPS shall exclusively own all Output. Contractor hereby assigns (and agrees to assign) to GCPS and its successors, all right, title and interest that Contractor has or may have in the future in and to the Output, including, without limitation, all intellectual property rights therein.
c. As between the parties, GCPS own and retains all right, title and interest in the Model Improvements, solely to the extent that any intellectual property rights in the Model Improvements are created as a result of fine-tuning the AI Model using Protected Data or Confidential Information (but excluding the AI Model from which the Model Improvements were created).
d. Contractor shall provide to GCPS all reasonably requested information relating to any AI Model and in connection with any risk or other assessments Contractor conducts regarding any AI Model and related Services (including but not limited to logic and decision-making process, outcomes, safeguards, and risk mitigation of the AI Model). Contractor shall reasonably cooperate with GCPS in responding to any regulatory inquiry, audit or other request received by any governmental entity relating to any AI Model. Contractor will retain all necessary information in human-readable form to document how each AI Model generates Output, which shall be made available to GCPS upon request.
e. Contractor represents, warrants and covenants that: (i) Contractor shall notify GCPS in writing before any AI Model is used by, incorporated into or provided with any Services; (ii) Contractor maintains industry standard access controls, protocols and capabilities that secure access to each AI Model and GCPS Training Data and there has been: (A) no unauthorized access to any AI Model or GCPS Training Data; and (B) no unauthorized access to the information systems used in the development, improvement or operation of any AI Model; (iii) Contractor has (y) obtained sufficient rights (including any applicable license rights) in and to all Training Data used in connection with each AI Model; (z) made all necessary third-party disclosures (and obtained all consents) regarding use of the Training Data and each AI Model; and (iv) Contractor's use of Training Data to customize, train, or improve each AI Model, and any Output, has not and shall not infringe or otherwise violate the rights (including any intellectual property rights or privacy rights) of any third party; (v) Contractor adheres to industry standard policies and procedures relating to the ethical or responsible use of artificial intelligence technologies; and (vi) there has been no complaint, claim, proceeding, or litigation alleging that any AI Model or its associated Training Data is or was falsified, biased, discriminatory, untrustworthy, anti-competitive, violative of civil or other fundamental rights or manipulated in an unethical or unscientific way.
9. Limitations and Risks Associated with AI Models
a. Acknowledgment of Limitations. The Parties acknowledge that generative AI models, including any AI Models, are inherently limited by the quality and scope of their training data. Contractor shall disclose to GCPS the known limitations related to edge cases, model hallucinations, data quality, bias amplification, language quality, limited domain expertise, input/output length and structure as they relate to the Services. These limitations may affect the AI Model's performance and the suitability of its use in specific contexts; accordingly, GCPS shall solely determine the appropriateness of using AI Models for all applications, especially in sensitive or critical areas.
b. Requirements for Mitigating Risks. Contractor shall implement measures to mitigate risks associated with model hallucinations, grounding, and factuality issues. Such measures may include, but are not limited to, enhancing the AI Model's training with diverse and representative datasets and employing techniques to improve the model's understanding of real-world knowledge and physical properties. Contractor must take reasonable steps to reduce bias amplification in AI Models by implementing robust fairness controls and conducting regular bias audits. These efforts should focus on identifying and mitigating biases along axes such as gender, race, ethnicity and religion, particularly in non-English data sets. To address issues with language quality and service consistency across different user groups, Contractor shall ensure that the AI Model supports multilingual capabilities and is sensitive to various dialects and linguistic nuances as required by the Services. Contractor is required to maintain transparency about the AI Model's capabilities and limitations regarding domain expertise and must not use AI Models for purposes that require deep, specialized knowledge without appropriate human oversight. In cases where the input or output exceeds the model's token limits, Contractor shall ensure that safety classifiers or equivalent protective measures are applied to prevent degraded performance or inappropriate outputs.
c. Monitoring and Reporting. Contractor shall continuously monitor the performance of AI Models to identify and address any deviations from expected behavior or performance metrics. This includes the regular assessment of the AI Model's output for factuality, appropriateness and relevance. Contractor must report to GCPS any significant incidents of model failure, including but not limited to, instances of model hallucination or outputs that could lead to material impacts on individual rights or safety. Such reports shall be made within twenty-four (24) hours of becoming aware of the incident. Contractor shall provide GCPS with detailed documentation and explanations of all incidents, including the steps taken to rectify such issues and prevent recurrence.
d. Review and Adjustment. GCPS reserves the right to request changes or improvements to any AI Model based on the periodic review of the AI Model's performance and the evolving needs of GCPS. Contractor shall cooperate with GCPS in making any necessary adjustments to the AI Model to better align with GCPS's operational requirements and ethical standards.
10. Information Security Program
Contractor shall at all times have in place a comprehensive information security program that is based on industry best practices and that is in compliance with applicable Law. In accordance with such information security program, Contractor shall implement and maintain reasonable administrative, physical, and technical safeguards appropriate to the nature of the Protected Data to secure Protected Data from unauthorized access, disclosure, destruction, modification, and use. GCPS has the right to request in writing that Contractor implement additional safeguards in connection with its performance of Services under the Agreements or these Terms due to any change in industry best practices or applicable Law. Contractor shall implement such additional safeguards within a commercially-reasonable time period, and shall certify, upon GCPS's request, that such implementation has been completed. If Contractor refuses to implement such additional safeguards or does not implement such additional safeguards within a commercially-reasonable period of time, GCPS may elect (in its sole discretion) to terminate the Agreements, and in such case, GCPS will have no further obligation to Contractor under the Agreements.
11. Secure AI Compliance Program
Recognizing the rapid advancement of AI technology and its associated risks, the Contractor shall adopt the Secure AI Compliance Program, aimed at continuously evolving risk management strategies and ensuring secure AI deployments.
a. Contractor shall extend its secure-by-default infrastructure protections to AI Models and develop organizational expertise to adapt these protections to the evolving AI and threat landscape. This includes but is not limited to, employing input sanitization and limiting techniques to defend against AI-specific attack vectors such as prompt injections.
b. Contractor shall incorporate AI Models into the organization's threat universe, enabling real-time monitoring of AI inputs and outputs to detect anomalies. This effort will be supported by collaboration with GCPS's trust and safety, threat intelligence, and counter abuse teams to ensure comprehensive threat intelligence and rapid response capabilities.
c. Contractor shall align control frameworks to support AI risk mitigation and scale protections across different platforms and tools. This includes integrating secure-by-default protections into AI deployments and embedding security controls within the software development lifecycle.
d. Contractor commits to continuous improvement of AI Models and related systems through regular testing, updating training datasets, fine-tuning models to strategically respond to attacks, and embedding further security in software used to build models. Regular Red Team exercises will be conducted to test and enhance safety assurances.
e. Contractor shall conduct end-to-end risk assessments focusing on AI deployment, including data lineage, validation, and operational behavior monitoring, which will help understand and mitigate business risks associated with AI.
12. Minimum Privacy and Security Requirements
At a minimum, Contractor shall: (a) have a written information security policy, incident response plan, and publicly-available privacy policy; (b) conduct, at least annually, enterprise-wide risk assessments and internal and external penetration testing, and conduct, at least monthly, vulnerability testing; (c) implement patches for security vulnerabilities on all systems and applications relevant to the Services within a commercially-reasonable timeframe following availability of a patch, but in no event later than thirty (30) days following availability of the patch; and, if patching is not possible, documenting an exception with appropriate rationale within that 30-day timeframe; (d) collect and maintain the minimum amount of Protected Data required to perform the Services; (e) use commercially-reasonable methods to limit access to Protected Data to only those Contractor Personnel having a legitimate business interest in the Protected Data; (f) secure facilities, data centers, servers, backup systems, and computing equipment, including all mobile devices and other equipment with information storage capability and paper files that are used to store Protected Data; (g) implement a reasonable process to remove false positives from relevant monitoring/alerting rules; (h) implement authentication and access controls within media, applications, operating systems, and equipment; (i) physically or logically segregate Protected Data from information of Contractor and its other customers so that Protected Data is not commingled with any other types of information; (j) implement appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable Law; (k) provide appropriate privacy and information security training to Contractor Personnel at least once per year; and (l) mandate multi-factor authentication for all users accessing sensitive or Protected Data and any remote administration.
a. Data in Transit. All data transmitted over public or wireless networks must be encrypted using Advanced Encryption Standard (AES) with a minimum key length of 256 bits ("AES-256"). Secure protocols such as HTTPS, FTPS, or equivalent must be used to protect the integrity and confidentiality of the data during transmission. Compliance with Federal Information Processing Standards (FIPS) 140-3 is required for all cryptographic modules handling data in transit.
b. Data at Rest. Protected Data stored on any device or storage medium must be encrypted using AES-256. The encryption keys must be managed securely and rotated periodically to maintain the integrity of the security measures. All systems storing or processing Protected Data must be FIPS 140-3 compliant, ensuring that cryptographic modules meet government standards for security.
13. Minimum Software Requirements
Security features for any software used to perform the Services shall, at a minimum: (a) support externalized authentication (e.g., federation via Security Assertion Markup Language (SAML) or Active Directory Federation Services (ADFS)) or have configurable password parameters (e.g., length, history, complexity, expiration); (b) have multi-factor authentication capabilities or be compatible with industry accepted multi-factor authentication tools including NIST Special Publication 800-63 (-63A, 63B, and 63C); (c) support Role-Based Access Control (RBAC): that restrict data access based on the user's role within the organization; and (d) allow access to product authentication logs and to logs indicating changes to user accounts that include detail of the account leveraged to make the change and retain such logs for as long as possible, but in no instance for less than one year after the log was last updated.
14. Restrictions on International Storage or Processing
Contractor shall ensure that all Protected Data is stored and processed in the United States. At no time shall Protected Data be transferred to, stored, or processed in any country other than the United States.
15. Reports; Corrective Action Plans
GCPS has the right to request the performance of, and documentation concerning the results of, enterprise-wide risk assessments, internal and external penetration testing, and vulnerability testing conducted pursuant to Section 12, as well as performance and documentation concerning additional assessments or tests to address an identifiable risk posing a reasonable risk of harm to, unauthorized access to, or loss of integrity of Protected Data. The Parties shall engage in a good faith discussion regarding the implementation of a corrective action plan to correct any issues that are identified through such assessments or testing, and Contractor shall implement, at its sole cost and expense, such additional safeguards within a timeline agreed upon by the Parties. If Contractor does not agree to implement a corrective action plan, GCPS may elect (in its sole discretion) to terminate the Agreements between the Parties, and in such case GCPS will have no further obligation to Contractor under the Agreements.
16. Information Security Questionnaire
Upon GCPS's written request, to confirm compliance with these Terms and applicable Law, Contractor shall promptly complete, and certify the accuracy of its responses to, a written information security questionnaire provided by GCPS, or by a third party on behalf of GCPS, regarding Contractor's data privacy and security practices and Contractor's use and handling of Protected Data within thirty (30) days of receipt of the information security questionnaire. GCPS shall treat the information provided in the information security questionnaire as Contractor's confidential information.
17. Certifications
Annually, or upon thirty (30) days written notice, Contractor shall produce and provide to GCPS a System and Organization Controls (SOC) Report in compliance with industry standards for both Contractor's hosting facility and the Contractor.
18. Audits
GCPS has the right upon thirty (30) days written notice to Contractor to conduct audits, or to have a third party conduct audits on its behalf, of Contractor's systems and physical and electronic facilities that are used in connection with the Services, and to obtain copies of the policies and procedures relevant to Contractor's handling of Protected Data for the purpose of auditing and confirming Contractor's compliance with these Terms.
19. Compliance with Law
Contractor represents and warrants that Contractor is in compliance with and will handle Protected Data in accordance with all applicable Law, including COPPA, FERPA (20 U.S.C. 1232g), the federal regulations implementing FERPA (34 CFR § 99), and the Georgia Student Data Privacy, Accessibility, and Transparency Act (O.C.G.A. § 20-2-660 through O.C.G.A. § 20-2-668).
20. Security Incident Procedures
In the event of a Security Incident, Contractor shall notify GCPS as soon as practicable, but no later than twenty-four (24) hours after Contractor becomes aware of the Security Incident. Contractor shall, at its own expense, take immediate steps to contain and remediate the Security Incident to prevent any further Security Incident and to maintain and preserve all documents, records, and other data related to any Security Incident. Contractor shall fully cooperate with GCPS with respect to any Security Incident, including, but not limited to the following: (a) assisting with any inquiry, investigation, or litigation arising out of or related to the Security Incident; (b) providing GCPS with physical access to the facilities and operations affected; (c) facilitating interviews with Contractor Personnel; and (d) making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable Law, or as otherwise reasonably requested by GCPS. GCPS has the sole right to determine whether notification and remediation services will be provided, whether required by Law or in the discretion of GCPS, as well as the content of such notifications. Contractor shall reimburse GCPS for all reasonable costs and expenses incurred by GCPS in responding to, and mitigating damages caused by, any Security Incident within thirty (30) days of the date of any written invoice from GCPS.
21. Return or Disposal of Confidential Information
Within seven (7) calendar days of receipt of GCPS's request or within thirty (30) calendar days of the expiration or termination of these Terms or the Agreements for any reason, Contractor shall, and shall instruct all Contractor Personnel to, promptly return to GCPS all Confidential Information in its possession or the possession of such Contractor Personnel in a format and by a method specified by GCPS, or securely delete, destroy, remove, or dispose of all such copies (including paper and electronic copies and copies stored on removable devices (e.g., back up tapes, USB drives, external hard drives)). Contractor shall promptly certify in writing to GCPS that all such Confidential Information, in all formats, including paper, electronic and disk form, has been returned, deleted, destroyed, or rendered unreadable. In the event that Contractor or Contractor Personnel accessed or received any Confidential Information that was not intended for Contractor or Contractor Personnel or that Contractor or Contractor Personnel were not authorized to access or receive, Contractor shall notify GCPS as soon as practicable and promptly return to GCPS or dispose of such Confidential Information and certify in writing that: (a) such Confidential Information has been returned or destroyed as required by these Terms; and (b) Contractor and Contractor Personnel have not retained any copies of such Confidential Information or provided such Confidential Information or copies thereof to any third party. Contractor shall comply with all reasonable directions provided by GCPS with respect to the return or disposal of Confidential Information.
22. Documentation and Record Keeping Record of Processing Activities
Contractor shall maintain detailed records of data processing activities and make all such records accessible to GCPS upon request.
23. Data Retention and Destruction
Contractor shall specify its data retention periods and secure destruction procedures upon GCPS' request and ensure that such measures comply with all applicable law and best industry practices.
24. Term
These Terms shall remain in effect until amended or terminated in a writing by the Parties expressly referencing these Terms.
25. Indemnification
Contractor will indemnify, defend, save, and hold GCPS and each of its affiliates, and their respective officers, directors, employees, representatives and agents (the "GCPS Indemnitees") harmless from and against any and all claims, losses, costs, damages, judgments, settlements, and expenses of every kind and nature (including attorneys' and experts' fees and expenses as well as damages directly or indirectly caused by Contractor or third parties, including penalties and interest, and will reimburse such fees and expenses as they are incurred) (collectively, "Losses") arising from a third party claim relating to: (a) any breach by Contractor or Contractor Personnel of these Terms; (b) Contractor's lawful or unlawful acts or omissions (or those of any of Contractor Personnel); (c) any bodily injury (including death) or damage to or destruction of real or tangible personal property to the extent caused by the negligent or willful acts or omissions of Contractor or Contractor Personnel while engaged in the performance of the Services; (d) the failure of Contractor to comply with, or any actual or alleged violation of, any applicable law, statute, ordinance, governmental administrative order, rule or regulation; (e) any claim brought by Contractor Personnel; (f) any allegation that the Services misappropriate, violate or in any way infringe upon any third party's trade secrets, proprietary information, trademarks, copyright, patent, non-disclosure or any other intellectual property rights; and/or (g) any Security Incident for which Contractor and/or Contractor Personnel is responsible. Contractor's indemnification obligations hereunder shall be joint and several with respect to any other indemnitors of the GCPS Indemnitees, shall be carved out of and not subject to any provision set forth in the Agreements that seeks to exclude or limit Contractor's liability, and shall be in addition to, and not in lieu of, any indemnification or other obligations imposed on Contractor in the Agreements.
26. Material Breach
Contractor's failure to comply with any of the provisions of these Terms is a material breach of these Terms. In the event of a material breach by Contractor, GCPS has the right to terminate these Terms and any of the Agreements, effective immediately upon written notice to Contractor without further liability or obligation to Contractor.
27. Equitable Relief
Contractor acknowledges that any breach of its obligations set forth in these Terms may cause GCPS irreparable harm for which monetary damages would not be adequate compensation. Accordingly, if there is such a breach, or a threatened breach, GCPS is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance, and any other relief that may be available from any court, in addition to any other remedy to which GCPS may be entitled at law or in equity. Contractor shall waive any requirement for the securing or posting of any bond in connection with such remedy.
28. Mediation
In the event of any dispute, claim, question, or disagreement between the Parties arising from or relating to these Terms or the breach thereof, the Parties shall use their best efforts to resolve the dispute, claim, question, or disagreement. To this end, the Parties shall consult and negotiate with each other in good faith and, recognizing their mutual interests, attempt to reach a just and equitable resolution satisfactory to both Parties. In the event the Parties cannot resolve the dispute, the Parties agree to attempt to resolve any dispute, claim or controversy arising out of or relating to these Terms by mediation, which shall be conducted under the then-current mediation procedures of the CPR Institute for Conflict Prevention & Resolution or any other procedure upon which the Parties agree to in writing. The Parties further agree that their respective good faith participation in mediation is a condition precedent to pursuing any other available legal or equitable remedy, including litigation, arbitration, or other dispute resolution procedures, except in such cases where immediate preliminary equitable relief is needed.
29. Governing Law
These Terms shall be enforced and interpreted in accordance with the laws of the State of Georgia, without regard to any conflict of law principles. Any lawsuit or other action between the Parties based on a claim arising from these Terms shall be brought in a court or other forum of competent jurisdiction within Gwinnett County, Georgia.
Contact Information:
Gwinnett County Public Schools
Data Governance Division
ATTN: Lakesha Reagan
437 Old Peachtree Rd. NW
Suwanee, GA 30024
Email: [email protected]