Terms & Conditions

Effective November 25, 2025

⚖️ Terms & Conditions

These Terms and Conditions and any order form or ordering document signed or acknowledged by the parties that references these Terms and Conditions (such ordering document, an “Order Form” and the Order Form together with these Terms and Conditions, the “Agreement”) collectively constitute a binding agreement between Stanford Taylor Foundation, a Delaware nonprofit corporation (“STF”), and you or the legal entity you represent (“Customer”). The “Effective Date” of this Agreement will be the earlier of (a) Customer’s acceptance of the terms of this Agreement by clicking on the “Create Account” button or by signing an Order Form; or ) (b) Customer’s use of the Service, which includes Customer’s participation in the sign-up for the Service, including any provision of Customer Content to STF.

PLEASE READ THIS AGREEMENT CAREFULLY. THIS AGREEMENT GOVERNS YOUR USE OF THE SERVICE. BY CLICKING ON THE “CREATE ACCOUNT” BUTTON, COMPLETING THE REGISTRATION PROCESS OR ACCESSING OR USING ANY OF PORTION OF THE SERVICE, YOU REPRESENT THAT (1) YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THIS AGREEMENT, (2) YOU ARE OF LEGAL AGE TO FORM A BINDING CONTRACT WITH STF, AND (3) YOU HAVE THE AUTHORITY TO ENTER INTO THE AGREEMENT PERSONALLY OR ON BEHALF OF THE ENTITY YOU HAVE NAMED AS THE USER, AND TO BIND THAT ENTITY TO THE AGREEMENT. THE TERM “CUSTOMER” REFERS TO THE INDIVIDUAL OR LEGAL ENTITY, AS APPLICABLE, IDENTIFIED AS THE USER WHEN YOU REGISTERED FOR THE SERVICE. IF YOU DO NOT AGREE TO BE BOUND BY THIS AGREEMENT, YOU MAY NOT ACCESS OR USE THE STF SERVICE.

Definitions

  1. Definitions
    1. Aggregated and De-identified Data” means aggregated, anonymized or deidentified data or information of similar form, derived from Customer Content, Output, and Personal Data, that is created by or on behalf of STF, by excluding information (including Customer’s name or any other identifiers) that make the data contained therein personally identifiable to Customer or any Authorized User.
    2. Authorized User” means any individual authorized by Customer to access and use the Service including employees, teachers, aides, other school personnel, students and parents.
    3. Customer Content” means all data, images, and content submitted, transmitted, or uploaded by or on behalf of Customer and its Authorized Users into the Service.
    4. Output” means output generated by the processing of the Customer Content through the Service (excluding Performance Data).
    5. Personal Data” means information about a specific individual that is provided, submitted, or otherwise made available to STF by or on behalf of Customer or any Authorized User in connection with the Service that constitutes “personal data”, “personal information”, “personally identifiable information” or similar term under applicable privacy, data protection, and data security law.
    6. Service” means STF’s proprietary web-based products and services described in the applicable Order Form.
    7. Third-Party Services” means any third party-provided applications, software, products, or services which STF embeds in, incorporates into, or otherwise leverages in connection with its provision of the Service.
    8. Third-Party Service Provider” means the applicable third-party provider of a Third-Party Service.
  2. STF Responsibilities
    1. Provision of the Service. Subject to the terms and conditions of this Agreement and during the Term, including that Customer shall timely provide student information in the format required by STF for the Service, STF will: (a) make the Service available to Customer for use by Authorized Users solely for educational purposes; and (b) provide Customer with STF’s standard support services to assist Customer in its use of the Service. The terms of this Agreement will also apply to updates and upgrades of the Service subsequently provided by STF to Customer. STF may update the functionality, user interfaces, and usability from time to time in its sole discretion as part of its ongoing mission to improve the Service.
    2. Support. Subject to the terms of this Agreement, STF shall use commercially reasonable efforts designed to maintain the availability of the Service.
  3. Access to and Use of the Service
    1. Account Creation and Subscriptions. Customer may designate certain Authorized Users as Authorized Account Administrators and such users may be assigned different permissions than other Authorized Users, including the ability to create accounts on behalf of other Authorized Users and view usage statistics related to the Authorized Users of the Service who are authorized under Customer’s account. As used herein, “Authorized Account Administrators” means Authorized Users with administrative credentials for Customer’s account. Each Authorized User will have a unique user identification name and password to access and use the features and functions of the Service. Authorized User accounts cannot be shared or used by more than one Authorized User. Customer is responsible for maintaining the confidentiality of its logins, passwords, and accounts and for all activities that occur under Authorized User accounts. If any Authorized User is no longer a student, parent, employee or contractor of Customer, then Customer will promptly delete such Authorized User account and otherwise terminate such Authorized User’s access to the Service.
    2. Eligibility. STF reserves the right to implement eligibility requirements for Authorized Users if required by law and will provide notice of any changes to the eligibility requirements.
    3. Customer Responsibilities. Customer will: (a) obtain any licenses, permissions and consents required for Authorized Users to access and use the Customer Content in connection with the Service; (b) be responsible for Authorized Users’ compliance with this Agreement; (c) be responsible for the accuracy, completeness, appropriateness, and legality of Customer Content; (d) use reasonable efforts to prevent unauthorized access to or use of the Service, and promptly notify STF of any such unauthorized access or use; (e) use the Service only in accordance and compliance with all applicable laws and government regulations; and (f) timely provide student information in the format required by STF for the Service. Customer and its Authorized Users will have access to the Customer Content and will be responsible for all changes to and/or deletions of Customer Content and the security of all passwords and other usernames and passwords required in order the access the Service. Customer is encouraged to make its own back-ups of the Customer Content and Output. Any act or omission by an Authorized User that, if done by Customer, would constitute a breach of this Agreement, shall be deemed a breach of this Agreement by Customer.
    4. System Requirements. A high-speed Internet connection is required for proper use of the Service. Customer is responsible for procuring and maintaining the network connections that connect its network to the Service, including, but not limited to, browser software that supports protocols used by STF, and following procedures for accessing services that support such protocols. STF assumes no responsibility for the reliability or performance of any connections as described in this Section.
    5. Usage Restrictions. Customer will not, and will not permit any Authorized User or third party to directly or indirectly: (a) make the Service or Output available to, or use the Service for the benefit of, anyone other than Customer and the Authorized Users; (b) upload, post, transmit, or otherwise make available to the Service any content that (i) is unlawful or tortious, or (ii) infringes, misappropriates, or otherwise violates any intellectual property, privacy, publicity, or other proprietary rights of any person; (c) sublicense, rent, resell, time share, or similarly exploit the Service or Output; (d) upload, post, transmit, or otherwise make available any content or information designed to interrupt, interfere with, destroy or limit the functionality of any computer software or hardware or telecommunications equipment; (e) reverse engineer, modify, adapt, or hack the Service, or otherwise attempt to gain unauthorized access to the Service or its related systems or networks; (f) copy or modify the Service or Output, or create any derivative works from either of the foregoing; or (g) access the Service to build a competitive product or service.
    6. Third-Party Services; Disclaimers. The Service may include certain features that utilize, or that leverage Third-Party Services that utilize, artificial intelligence or machine learning technology (“AI Features”). Customer acknowledges and agrees that, as between the parties, Customer is solely responsible for its and its Authorized Users’ use of all AI Features, and that Customer Content may be transmitted to such Third-Party Services. Customer accepts that, as AI Features utilize artificial intelligence technology, such features may provide Output that is inaccurate or inappropriate as a response to the input provided. Due to the nature of machine learning, Output may not be unique across users and the Service may generate the same or similar output for STF or a third party. Other STF customers may also provide similar customer prompts as inputs to the Service and receive generated content that is similar or identical to Output. Customer has no right, title or interest in or to generated content provided to other parties, regardless of the level or degree of similarity. Customer is responsible for evaluating the accuracy and suitability of Output as appropriate for Customer’s use case, assessing any potential biases, and subjecting Output to Customer’s standard quality control procedures within its business, including by using human review of Output. Customer agrees, and shall cause its Authorized Users to agree, that STF shall have no responsibility or liability arising from the provision of inaccurate or inappropriate Output or any decisions made in reliance on such Output, and that such decisions are made at its own risk. Customer acknowledges and agrees that the use of Third-Party Services, including the transmission of certain Customer Content to such Third-Party Services, may be an integral and necessary part of STF’s delivery of the Service. Customer agrees that STF shall have no responsibility or liability arising from any use, storage, data breach, or deletion of such Customer Content by Third-Party Service Providers. STF cannot guarantee the continued availability of Third-Party Services and may temporarily or permanently cease providing, without entitling Customer to refund, credit, or compensation, any particular Third-Party Services if the applicable Third-Party Service Provider suspends, modifies, or alters such Third-Party Services.
  4. Third-Party Integrations. If supported by STF, the Service may integrate with services (e.g., Clever or OpenID) for which Customer has independently contracted (“Customer Third-Party Services”). If Customer elects to integrate its STF account for which it is responsible hereunder with one or more Customer Third-Party Services supported by STF, it shall ensure that it has all required permissions and authorizations to share such information with STF for such limited purpose. Any integration with a Customer Third-Party Service depends on the continuing availability of, and access to, such Customer Third-Party Service and/or any content or interfaces made available through such Customer Third-Party Service. If for any reason STF cannot access or use the applicable Customer Third-Party Service or the required data or information interfaces, STF may not be able to provide all of the functions of its Service. No refund or credit will be provided for unavailability of any Customer Third-Party Services. Unless otherwise specified in this Agreement, all content or data accessed through Customer Third-Party Services integrated hereunder will be considered to be Customer Content for purposes of this Agreement. Where Customer elects to create an integration between a Customer Third-Party Service (“Integration”) for use with Customer’s Student Information System (SIS), it agrees to: (a) apply minimum technical requirements and comply with the acceptable use parameters (e.g., requirements for usernames, passwords, password reset, end point maintenance, and testing environments); (b) promptly notify STF of errors or vulnerabilities discovered in Customer’s Integration; and (c) assist STF with verifying Customer’s adherence with the requirements of this Section 4, including permitting an audit up to once annually on 30-day notice, or such audits as are required for cause. The Integration may be terminated by STF on reasonable notice in its sole discretion.
  5. Fees. The Services are not currently fee-based for Customer and its Authorized Users, however STF retains the right to implement a fee structure in the future subject to providing notice in accordance with Section 13.1.
  6. STF Proprietary Rights
    1. STF Property. Subject to Customer’s rights in the Customer Content, STF reserves and retains, and as between STF and Customer, STF exclusively owns, all rights, title, and interest in and to the Service, and to the extent permitted by law, the Output generated in connection with the Service (collectively, “STF Materials”), including all modifications, derivative works, upgrades, and updates thereto, and all related intellectual property rights therein. No rights are granted by STF hereunder other than as expressly set forth herein. To the extent that Customer has or acquires any right (including intellectual property rights), title or interest in or to such STF Materials, or any improvements or derivatives thereof, Customer hereby assigns the same to STF, and covenants to execute all documents reasonably requested by STF to confirm the same. If Customer or any Authorized User provides STF with any feedback or suggestions regarding the Service, then Customer grants STF an unlimited, irrevocable, perpetual, sublicensable, royalty-free license to use any such feedback or suggestions for any purpose without any obligation or compensation to Customer or any Authorized User.
    2. Generic Tools. Prior hereto and/or during the course of this Agreement, STF has and/or will develop certain coding, programming or designing techniques, architecture, trade secrets, methodology, APIs, functions, applications, knowledge, experience, skills, templates, other know-how and related intellectual property rights, which STF may use on other projects as part of the tools of STF’s business and that such developments and intellectual property rights shall constitute “Generic Tools,” so long as, and to the extent that, they do not include any Customer Content. The parties acknowledge and agree that STF’s other customers may modify (or request modification of) the Generic Tools in similar manners and nature as Customer and nothing in this Agreement prohibits such activities. STF retains all right, title and interest in and to Generic Tools and associated intellectual property rights as may be made available to Customer under this Agreement.
    3. Performance Data. STF may create, generate, and use general performance and usage data in connection with Customer’s use of the Service (such as telemetry data, technical logs, account and login data, and processed volumes) (“Performance Data”), in each case, for the purposes of training, improving and analyzing the Service and its associated software, technology and algorithmic models. STF retains all right, title, and interest, including all intellectual property rights, in and to Performance Data. For purposes of this Agreement, Performance Data does not contain any, and does not constitute, Personal Data (as defined in Exhibit A).
    4. Aggregated and De-identified Data. During and after the Term, STF may create Aggregated and De-identified Data, and Customer agrees that STF shall exclusively own all rights, title, and interest in and to all Aggregated and De-identified Data to the extent permitted by law. In generating such data, STF shall (a) take reasonable measures to ensure that such data cannot be associated with a Data Subject and (b) not attempt to reidentify such data, except as permitted under applicable law. To the extent such ownership is prohibited by law, Customer grants to STF a worldwide, non-exclusive, irrevocable, royalty-free, perpetual, sublicensable (through multiple tiers of sublicensees) license to access, use, copy, store, distribute, transmit, modify, perform, display, and create derivative works of Aggregated and De-identified Data, whether the Aggregated and De-identified Data is created during or after the Term.
  7. Customer Proprietary Rights
    1. Customer Content. As between Customer and STF, Customer owns all rights, title, and interest in and to the Customer Content. Customer grants to STF a worldwide, non-exclusive, royalty-free limited license during the Term to access, use, copy, store, distribute, transmit, modify, perform, display, and create derivative works of Customer Content and any Output that is not STF Materials only: (a) to provide, maintain, and update the Service and other STF offerings; (b) to prevent or address service or technical problems; (c) as compelled by law; (d) as expressly permitted in writing by Customer; (e) to conduct research, including, but not limited to, research relating to visual skills, reading, reading efficiency, reading proficiency, dyslexia, and any factors relating to reading development, including child development and physical factors impacting reading; and (f) to create Performance Data and Aggregated and De-identified Data and to use such data during and after the Term, for any legal purpose, including to improve the Service and STF’s offerings and to conduct research; and (g) to provide necessary access to Third-Party Service Providers acting on STF’s behalf, such as providers of AI Features. Subject to the limited licenses granted herein, STF acquires no right, title or interest under this Agreement in or to any Customer Content.
  8. Confidentiality
    1. Definition. “Confidential Information” means all confidential information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including all copies thereof. Confidential Information of STF includes the Service (including its software and content), and Confidential Information of each Party includes the terms of this Agreement. However, Confidential Information will not include any information that: (a) is or becomes generally available to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; (d) was independently developed by the Receiving Party without use of or reliance on the Confidential Information of the Disclosing Party; or (e) is Customer Content.
    2. Protection. The Receiving Party will: (a) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care); (b) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement; and (c) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of the Receiving Party’s employees, contractors, and agents who need such access for purposes consistent with this Agreement and who are subject to confidentiality obligations at least as restrictive as those herein. The Receiving Party will provide prompt written notice to the Disclosing Party of any unauthorized use or disclosure of the Disclosing Party’s Confidential Information. Upon request of the Disclosing Party during the Term, the Receiving Party will promptly return, or at the Disclosing Party’s option destroy, any or all Confidential Information of the Disclosing Party in the Receiving Party’s possession or under its control.
    3. Compelled Disclosure. The Receiving Party may access or disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled access or disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s expense, if the Disclosing Party wishes to contest the access or disclosure.
    4. Privacy and Security. The Parties agree that they each will comply with their respective obligations as required under the Data Protection Addendum, (“DPA”), attached as Exhibit A, and which is incorporated into and forms part of this Agreement. To the extent the DPA conflicts with the provisions of this Agreement, the DPA will prevail.
  9. DMCA Policy. It is STF’s policy to terminate access privileges of any user of the Service who repeatedly infringes copyright upon prompt notification to STF by the copyright owner or the copyright owner’s legal agent. Without limiting the foregoing, if Customer and or any Authorized User believes that its work has been copied and posted on the Service in a way that constitutes copyright infringement, please provide STF’s Copyright Agent with the following information:
    1. an electronic or physical signature of the person authorized to act on behalf of the owner of the copyright interest;
    2. a description of the copyrighted work that user claims has been infringed;
    3. a description of the location on the Service of the material that user claims is infringing;
    4. user’s address, telephone number and e-mail address;
    5. a written statement by user that such user has a good faith belief that the disputed use is not authorized by the copyright owner, its agent or the law; and
    6. a statement by user, made under penalty of perjury, that the above information in user’s notice is accurate and that user is the copyright owner or authorized to act on the copyright owner’s behalf.
    Contact information for STF’s Copyright Agent for notice of claims of copyright infringement is as follows: Stanford Taylor Foundation, c/o Copyright Agent, at the general STF address listed on STF’s website, or if no address is listed on the STF website to 400 Gilead Rd, PO Box 2614, Huntersville, NC 28070, with email copy to notice@stfvision.org.
  10. Representations, Warranties, and Disclaimers
    1. Mutual Representations. Each party represents that: (a) it is duly organized, validly existing, and in good standing under its jurisdiction of organization and has the right to enter into this Agreement; and (b) the execution, delivery, and performance of this Agreement are within the corporate powers of such party and have been duly authorized by all necessary corporate action on the part of such party, and constitute a valid and binding agreement of such Party.
    2. Customer Warranty. Customer warrants that (a) it has obtained and will maintain all rights, consents, and permissions necessary for Customer to make available the Customer Content and Output to STF for its use as contemplated herein; (b) the Customer Content does not include any of the following: (i) export controlled materials; or (ii) data regulated by the Health Insurance Portability and Accountability Act, the Gramm Leach Bliley Act, or the EU General Data Protection Regulation or any successor laws; and (c) that no Customer Content will violate or infringe any third-party intellectual property, publicity, privacy or other rights, or any applicable laws.
    3. Disclaimer. THE SERVICE AND ALL RELATED COMPONENTS AND INFORMATION ARE PROVIDED ON AN “AS IS” BASIS WITHOUT ANY WARRANTIES OF ANY KIND, AND STF EXPRESSLY DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER WRITTEN, ORAL, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, SECURITY, AND NON-INFRINGEMENT. STF DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE OR WILL MEET CUSTOMER’S OR ANY AUTHORIZED USERS’ REQUIREMENTS. CUSTOMER ACKNOWLEDGES THAT IT HAS RELIED ON NO WARRANTIES OTHER THAN THE EXPRESS WARRANTIES PROVIDED IN THIS AGREEMENT. NO EMPLOYEE OR AGENT OF STF IS AUTHORIZED TO MAKE ANY DIFFERENT OR ADDITIONAL WARRANTIES TO CUSTOMER, AND STF WILL NOT BOUND BY ANY SUCH PURPORTED WARRANTIES.

      THE SERVICE IS INTENDED AS AN OUTPUT GENERATION TOOL ONLY AND DOES NOT CONSTITUTE ADVICE OF A CERTIFIED OR QUALIFIED MEDICAL OR EDUCATIONAL PROFESSIONAL AND STF MAKES NO WARRANTY OR GUARANTY THAT THE OUTPUT WILL PROVIDE ACCURATE, TAILORED, OR INFORMATIVE RESULTS OR BE FIT FOR ANY PARTICULAR PURPOSE. STF DOES NOT REPRESENT OR WARRANT THAT THE OUTPUT DOES NOT INCORPORATE, INFRINGE OR MISAPPROPRIATE THE INTELLECTUAL PROPERTY OR PROPRIETARY RIGHTS OF ANY THIRD PARTY. CUSTOMER ACKNOWLEDGES THAT THE AI FEATURES LEVERAGE THIRD-PARTY SERVICES AND THAT STF IS NOT LIABLE, AND CUSTOMER AGREES NOT TO SEEK TO HOLD STF LIABLE, FOR THIRD-PARTY SERVICES, AND THAT THE RISK OF INJURY FROM SUCH THIRD-PARTY SERVICES RESTS ENTIRELY WITH CUSTOMER. CUSTOMER SHALL BE SOLELY RESPONSIBLE FOR CUSTOMER’S USE OF THE SERVICE, AND ANY RELATED AI TOOLS, AND ANY OUTPUT RESULTING THEREFROM. CUSTOMER SHOULD EVALUATE THE FITNESS OF ANY OUTPUT AS APPROPRIATE FOR CUSTOMER’S SPECIFIC USE CASE.
  11. Indemnification
    1. STF Indemnification. STF will defend Customer from and against any lawsuit or proceeding brought by a third party to the extent alleging that Customer’s use of the Service as permitted hereunder infringes or misappropriates such third party’s intellectual property rights, and STF will indemnify Customer for any damages and any reasonable attorneys’ fees finally awarded against it arising from such lawsuit or proceeding; provided, however, that STF will have no liability under this Section to the extent any such lawsuit or proceeding arises from: (a) Customer Content, any Third-Party Services, or any other third party-provided products, services, or data; (b) Customer’s or any of its Authorized Users’ negligence, misconduct, or breach of this Agreement; or (c) any modification or combination of the Service that is not performed by STF.
    2. Customer Indemnification. Customer will, to the extent permitted by applicable law, defend STF from and against any lawsuit or proceeding brought by a third party to the extent alleging (a) Customer’s breach of Section 3.3 or 10.2, (b) that any Customer Content infringes, misappropriates, or otherwise violates the rights, including privacy and publicity rights, of any other party, or (c) Customer’s or any Authorized User’s particular use of the Service or use or provision of any Customer Content violates any applicable laws or government regulations, and Customer will indemnify STF for any damages and any reasonable attorneys’ fees finally awarded against it arising from such lawsuit or proceeding; provided, however, that Customer will have no liability under this Section to the extent any such lawsuit or proceeding arises from STF’s negligence, misconduct, or breach of this Agreement.
    3. Procedures. The indemnified party will provide the indemnifying party with: (a) prompt written notice of any matter that is subject to indemnification hereunder; (b) the right to assume the exclusive defense and control of any such matter (provided that the indemnified party may participate in the defense at its own expense); and (c) cooperation with any reasonable requests assisting the indemnifying party’s defense of such matter. The indemnifying party may not settle any such lawsuit or proceeding without the indemnified Party’s prior written consent.
    4. Exclusive Remedy. This Section 11 states the indemnifying party’s sole liability, and the indemnifying party’s exclusive remedy, for any type of claim described in this Section 11.
  12. Limitation of Liability
    1. IN NO EVENT WILL STF HAVE ANY LIABILITY TO CUSTOMER OR TO ANY OTHER PARTY FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, OR PUNITIVE DAMAGES, WHETHER OR NOT STF HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND IN NO EVENT WILL STF’S AGGREGATE LIABILITY RELATING TO THIS AGREEMENT EXCEED THE GREATER OF (A) THE TOTAL AMOUNT OF ALL PAYMENTS MADE BY CUSTOMER TO STF OR (B) ONE HUNDRED DOLLARS ($100.00). THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
    2. Scope. For the avoidance of doubt, the exclusions and limitations set forth in this Section 12 will apply with respect to all legal theories of liability, whether in contract, tort, or otherwise. The Parties agree that the exclusions and limitations set forth in this Section 12 allocate the risks between the Parties under this Agreement, and that they have relied on these exclusions and limitations in determining whether to enter into this Agreement.
  13. Term, Termination, and Suspension
    1. Term of the Agreement. The term of this Agreement commences on the Effective Date and, unless earlier terminated in accordance with the terms of this Agreement, will continue for ninety (90) days (the “Initial Term”). Thereafter, this Agreement (including the Order Form) will automatically renew for successive additional periods of ninety (90) days each (each, a “Renewal Term”) unless either Party provides the other with written notice of non-renewal at least thirty (30) days prior to the expiration of the Initial Term or the then-current Renewal Term. Customer agrees that STF may implement or modify the fees for each Renewal Term by providing Customer with written notice of such modification at least thirty (30) days prior to the expiration of the Initial Term or the then-current Renewal Term, as applicable. The Initial Term and each Renewal Term, if any, are collectively referred to herein as the “Term.”
    2. Suspension. STF may suspend Customer’s or any or all Authorized Users’ access to the Service, in whole in part, if: (a) Customer or any Authorized User is using the Service in violation of this Agreement or any applicable law; (b) Customer’s or any Authorized Users’ systems or accounts have been compromised or unlawfully accessed; (c) suspension of the Service is necessary, in STF’s reasonable discretion, to protect the security of the Service or STF’s infrastructure; (d) suspension is required by applicable law; or (e) if applicable, any fees owed by Customer (excluding amounts disputed in reasonable and good faith) are thirty (30) days or more overdue.
    3. Termination for Cause. Either party may terminate this Agreement effective after thirty (30) days’ written notice if the other party materially breaches this Agreement and such breach is not cured within such thirty (30)-day period. Upon any termination for cause by Customer, STF will promptly refund Customer any prepaid fees covering the period remaining in the Term after the effective date of such termination. Upon any termination for cause by STF, Customer will promptly pay STF any unpaid fees covering the period remaining in the Term after the effective date of such termination.
    4. Effects of Termination. In no event will any termination of this Agreement relieve Customer of its obligation (if applicable) to pay any fees payable to STF for the period of time prior to the effective date of such termination. Upon any termination of this Agreement, Customer and all Authorized Users must immediately cease all use of the Service. For a period of thirty (30) days following any termination of this Agreement, STF will, upon Customer’s request, provide Customer with an export of all current Customer Content in the format agreed by the Parties. After such thirty (30)-day period, STF will have no obligation to maintain or provide any Customer Content and Output and STF may, unless prohibited by applicable law, delete all Customer Content and Output in its systems or otherwise in its possession or under its control in accordance with STF’s then-current data retention and deletion policies. Subject to this Section, upon any termination of this Agreement and the Disclosing Party’s request, the Receiving Party will promptly return, or at the Disclosing Party’s option destroy, any or all Confidential Information of the Disclosing Party in the Receiving Party’s possession or under its control.
    5. Survival. The following sections will survive any termination or expiration of this Agreement: 1, 3.2, 3.5, 3.6, 4, 5, 6, 7.1(f), 8, 9, 10, 11, 12, 13.3, 13.4, 14, and 15.
  14. Dispute Resolution and Governing Law. This Agreement and any dispute arising from or relating to this Agreement are governed by the laws of the state of Delaware, United States, without regard to its conflict of law principles. Customer further agrees to accept service of process by mail. To the extent the Parties are permitted under this Agreement to initiate litigation in court, the Parties’ consent to exclusive personal jurisdiction and venue in the courts located in Kent County, Delaware. If Customer is a United States public educational institution, domiciled in a state within the United States that expressly requires a choice of law other than Delaware state law, then Customer’s state’s law will apply. If Customer is a United States public educational institution domiciled in a state within the United States that expressly requires venue or jurisdiction of a state other than Kent County, Delaware, then Customer’s state’s required venue and jurisdiction will apply.
  15. General Provisions
    1. Force Majeure. Neither Party will be liable hereunder by reason of any failure or delay in the performance of its obligations due to events beyond the reasonable control of such Party, which may include natural disasters, fires, epidemics, pandemics, riots, war, terrorism, denial of service attacks, internet outages, labor shortages, and judicial or government action.
    2. Assignment. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other Party. Notwithstanding the foregoing, either Party may assign or transfer this Agreement in its entirety, without the consent of the other Party, in connection with a merger or sale of all or substantially all of its assets. Any purported assignment in violation of this Section will be null and void. This Agreement will bind and inure to the benefit of the Parties, their respective successors, and permitted assigns.
    3. Export Control. In its use of the Service, Customer agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing, (a) Customer represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a “terrorist supporting” country, (b) Customer will not (and will not permit any of its users to) access or use the Service in violation of any U.S. export embargo, prohibition or restriction, and (c) Customer will not submit to the Service any information that is controlled under the U.S. International Traffic in Arms Regulations.
    4. Notices. All notices under this Agreement will be in writing and (a) if to Customer, addressed to the Customer at the most recent email address for Customer in STF’s records and the addresses set forth on the Order Form and (b) if to STF at notice@stfvision.org, and will be deemed to have been duly given: (i) upon receipt if personally delivered or sent by certified or registered mail with return receipt requested; or (ii) the first business day after sending by email or by next day delivery by a recognized overnight delivery service.
    5. Relationship of the Parties; Third-Party Beneficiaries. The parties are independent contractors, and this Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. There are no third-party beneficiaries to this Agreement.
    6. Waiver. No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right.
    7. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, such provision will be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement will remain in full force and effect.
    8. Subcontractors. STF may use one or more third parties to fulfill any of its obligations hereunder, provided that with respect to any such obligations that are subcontracted to or provided by any third party, STF expressly assumes all liability and responsibility for such third party’s compliance with, including, without limitation, any breach of, the terms of this Agreement.
    9. Entire Agreement. These Terms and Conditions, including any addenda hereto and all Order Forms, constitute the entire agreement between the Parties and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning the subject matter hereof. No modification, amendment, or waiver of any provision of an Order Form will be effective unless in writing and signed by each of the Parties. STF may modify these Terms and Conditions on a going forward basis from time to time by posting the modified Terms and Conditions to https://terms.stfreads.org/, and any such modifications will take effect upon renewal of the then-current Term. To the extent of any conflict or inconsistency between the Terms and Conditions, any exhibit attached hereto, or any Order Form, the terms set forth in the Terms and Conditions will control unless the conflicting term in the other document specifically references the inconsistent term of the Terms and Conditions, in which case the conflicting term will control only for the limited purposes set forth in the document containing such term. Notwithstanding any language to the contrary therein, no terms or conditions stated in any Customer purchase order or other Customer order documentation (excluding Order Forms) will be incorporated into or form any part of this Agreement, and all such terms or conditions will be null and void. As used herein, the words “include” and “including” shall be deemed to be followed by the words “without limitation.” Titles and headings of sections are for convenience only and shall not affect the construction of any provision of this Agreement.

Exhibit A

Stanford Taylor Foundation Data Protection Addendum

  1. United States. With respect to Authorized Users in the United States, the following provisions shall apply:
  2. Definitions.
    Capitalized words used in this DPA that are not expressly defined in this DPA have the meaning set forth in the Agreement.
    1. Data Protection Legislation” means the privacy, data protection and data security laws and regulations applicable to STF’s Processing of Personal Data under the Agreement.
    2. Process” shall have the same meaning as set out in the applicable Data Protection Legislation or if no such meaning or concept exists, it shall be the means by which STF collects, uses, stores, discloses, or transfers Personal Data.
  3. Compliance with Laws; Roles. Each Party shall comply with all Data Protection Legislation applicable to it in its respective Processing of Personal Data under the Agreement. For purposes of this Agreement and as between the Parties, Customer is the controller of the Personal Data and STF is the processor of such data.
  4. Notices and Consents. Customer shall provide all notices and obtain all such consents required under applicable Data Protection Legislation (including, without limitation, consents required under the Family Education Rights and Privacy Act, 20 U.S.C. § 1232g and its implementing regulations, 34 C.F.R. Part 99 (together, “FERPA”)) from the Authorized Users to allow STF to Process the Personal Data to provide the Service and as otherwise described in the Agreement, including in this DPA (the “Notices and Consents”). Customer represents and warrants that it has obtained and will maintain the Notices and Consents for all Authorized Users through the entire term of the Agreement.
  5. Details of Processing.
    Personal Data will be Processed for the purposes set forth in the Agreement and any applicable Order Form.
  6. STF Obligations. have the meaning set forth in the Agreement.
    1. STF shall implement and maintain reasonable administrative, technical and organizational measures that are designed to preserve the confidentiality and availability of Personal Data Processed by STF via the Service. STF shall implement the technical and organizational measures, as set forth in Annex A (Security Measures) (“Security Measures”). Customer has reviewed Security Measures and agrees that such measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data hereunder. STF may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
    2. STF shall take reasonable steps to ensure the reliability and integrity of any employees who have access to the Personal Data and ensure that employees are under a duty of confidentiality with respect to their Processing of the Personal Data.
    3. STF engages certain third-party entities to Process the Personal Data on STF’s behalf ("Sub-processors"). STF shall enter into an agreement with each Sub-processor containing terms that offer substantially similar levels of data protection obligations and protection for Personal Data as those set out in this Section. Customer consents to STF engaging the Sub-processors for the purposes set forth in the Agreement and this DPA.
    4. If STF becomes aware of a confirmed breach of its security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data (a “Security Incident”), STF shall inform Customer, within a reasonable amount of time, taking into account the timeframes required by Data Protection Legislation, with respect to the Security Incident. STF will provide, to the extent available reasonable information, cooperation, and updates of material developments to enable Customer to fulfill any data breach reporting obligations it may have under Data Protection Legislation. However, STF provision of information and cooperation shall be at Customer’s cost and expense to the extent any Security Incidents were caused by Customer or its Authorized Users or Data Subjects (as defined below). STF’s notification of a Security Incident pursuant to this section shall not be considered an acknowledgement of any fault or liability with respect to the Security Incident. STF may take such other measures as it deems appropriate to mitigate the effects of the Security Incident.
  7. Data Subject Inquiries. Customer shall be solely responsible for responding to and fulfilling any inquiries from Authorized Users and other data subjects, including parents and legal guardians of Authorized Users where the Authorized User is a student of Customer (collectively, “Data Subjects”) regarding their Personal Data in connection with the Processing under the Agreement, including any requests to exercise their rights under applicable Data Protection Legislation, and Customer shall handle all Data Subject inquiries in accordance with applicable Data Protection Legislation. Customer understands that STF is not required to take any action in response to any requests from Data Subjects except to notify such Data Subjects to contact Customer. To the extent Customer cannot obtain a copy of, delete or amend the Personal Data directly within the Service, Customer may contact STF and STF, with Customer’s express written permission and provided Customer has obtained the appropriate consent from the applicable Data Subject, will provide a copy of, delete or amend such Data Subject’s Personal Data in accordance with Customer’s instructions. To the extent legally permitted, Customer shall be responsible for reasonable costs arising out of STF’s provision of assistance with Customer’s Data Subject requests. Customer shall indemnify, defend, and hold harmless STF and its affiliates, subsidiaries, successors and assigns (and the officers, directors, employees, sublicensees, customers, and agents of STF and its affiliates, subsidiaries, successors, and assigns), from and against any and all losses, demands, liabilities, damages, fines, settlements, expenses, and costs (including without limitation reasonable attorneys’ fees and costs), arising from, in connection with, STF complying with Customer’s instructions under this Agreement.
  8. Authorized Disclosure of Personal Data.
    1. Customer acknowledges and agrees that, at Customer’s request and reasonable cost, STF may provide Personal Data to third-parties or other entities to whom Customer requests STF provide Personal Data (e.g., State Board of Education). Customer shall make such a request to disclose Personal Data in writing (“Authorization”). Customer acknowledges and agrees that each Authorization will result in Customer electing, in its sole discretion, to transfer the Personal Data to the recipients that Customer selects.
    2. The entities identified in Section 8(a) are collectively defined as “Recipients.”
    3. Customer acknowledges that Customer Content may contain Personal Data and may be subject to Data Protection Legislation. Customer will hold STF harmless, and not liable in any way, for STF’s disclosure of Personal Data to the Recipients in accordance with an Authorization.
    4. STF makes no warranty (a) that the use of the Personal Data by the Recipient is valid or in compliance with applicable Data Protection Legislation and Customer’s organization’s policies or (b) that Personal Data will remain secure upon transfer to the Recipient and disclaims any responsibility for the transfer. Customer acknowledges that the Personal Data will be provided on an “as is”, “as available” basis.
  9. Data Retention. STF will delete Personal Data within a reasonable amount of time after the termination or expiration of the Agreement, except that STF may retain Personal Data as required by applicable legal requirements or as agreed by Customer. For the avoidance of doubt, the foregoing shall not apply to Aggregated and De-identified Data.
  10. Education Records. As applicable, to the extent STF has access to “Education Records” and “Personally Identifiable Information” (as those terms are defined in FERPA in connection with its provision of the Service that is not otherwise permitted under FERPA: (a) Customer agrees that STF has met the criteria for being a “School Official” with “Legitimate Educational Interests” (as those terms are used in FERPA) in such Education Records and Personally Identifiable Information; and (b) STF agrees that such Education Records and Personally Identifiable Information will be used only for authorized purposes under the Agreement, and it will not redisclose such Education Records or Personally Identifiable Information except with Authorization from Customer or where such redisclosure is otherwise permitted under FERPA.
  11. State Specific Privacy Addenda. If applicable, the Parties agree to the State Specific Data Protection Addenda for the applicable state(s).
  12. Updates to this DPA. Notwithstanding anything to the contrary in the Agreement, STF reserves the right to modify this DPA from time to time in its sole discretion and without Customer’s prior consent except where required by applicable law (“Updated DPA”). Customer agrees that any Updated DPA will be effective immediately upon STF emailing the Updated DPA to Customer, unless STF is required by applicable law to obtain Customer’s consent, in which case, such Updated DPA will be effective immediately upon the provision of such consent. STF will also endeavor to notify Customer of any material revision to this DPA at least ten (10) days prior to such revision coming into effect, using Customer’s email address as set forth in the most recently executed Order Form.

State Specific Addenda

Capitalized words used in this State Specific Data Protection Addendum but not defined herein have the meanings given to them in the DPA or in the Agreement.

California

With respect to Pupil Records (as defined in Cal. Educ. Code § 49073.1) that STF processes on behalf of a Customer in California, the following provisions shall apply to the extent required by applicable law:

  1. Pupil Records that STF processes on behalf of Customer are the property of and under the control of Customer, except a Authorized User may retain possession and control of Authorized User-Generated Content where the Authorized User opens a personal account.
  2. STF shall limit its use of Pupil Records to those purposes specified in the Agreement, the DPA, and any notice of practices relating to children’s privacy.
  3. Procedures for the review and correction of Pupil Records shall be in accordance with the DPA.
  4. STF shall implement, maintain, and use reasonable measures to ensure the security and confidentiality of Pupil Records as specified in the DPA.
  5. Procedures for notification in the event of unauthorized disclosure of Pupil Records shall be in accordance with the terms of the DPA.
  6. STF certifies that retention of Pupil Records shall be limited in accordance with the terms of the DPA.
  7. STF’s and Customer’s access to and use of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to the terms of the DPA.
  8. STF shall not use Personal Data in Pupil Records to engage in targeted advertising.

Colorado

With respect to Student Personally Identifiable Information (as defined in Colo. Rev. Stat. Ann. § 22-16-103) that STF processes on behalf of a Customer in Colorado, the following provisions shall apply to the extent required by applicable law:

  1. STF shall comply in all material respects with the requirements of Colo. Rev. Stat. § 22-16-108 with regard to the provision of clear information regarding collection, use, and disclosure of Student Personally Identifiable Information, as specified in the DPA and any notice of practices relating to children’s privacy.
  2. STF shall comply in all material respects with Colo. Rev. Stat. § 22-16-109 with regard to the collection, use, and disclosure of Student Personally Identifiable Information, as specified in the DPA and any notice of practices relating to children’s privacy.
  3. STF shall comply in all material respects with the requirements of Colo. Rev. Stat. § 22-16-110 with regard to data security and retention of Student Personally identifiable information, as specified in the DPA and any notice of practices relating to children’s privacy.

Connecticut

With respect to Student Information, Student Records, and Student-generated Content (as those terms are defined in Conn. Gen. Stat. § 10-234aa) (collectively, “CT Student Data”) that STF processes on behalf of a Customer in Connecticut, the following provisions shall apply to the extent required by applicable law:

  1. CT Student Data that STF processes on behalf of Customer is Customer Content and under the control of Customer.
  2. STF retention of CT Student Data shall be in accordance with the DPA and any notice of practices relating to children’s privacy.
  3. STF shall limit its use of CT Student Data to those purposes specified in the Agreement, DPA, and any notice of practices relating to children’s privacy.
  4. Procedures for the review and correction of CT Student Data shall be in accordance with any notice of practices relating to children’s privacy.
  5. STF shall implement, maintain, and use reasonable measures to ensure the security and confidentiality of CT Student Data as specified in the DPA.
  6. Procedures for notification in the event of unauthorized disclosure of CT Student Data shall be in accordance with the terms of the DPA.
  7. STF and Customer access to and use of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to the terms of the DPA.
  8. Laws of the state of Connecticut shall govern rights and duties with regard to CT Student Data, as specified in the Agreement.
  9. In the event that any provision or the application of the Agreement or DPA is held invalid by a court of competent jurisdiction, severability of terms shall be in accordance with the Agreement.

District of Columbia

With respect to Personally Identifiable Student Information (as defined in D.C. Code § 38-831.01(14)) that STF processes on behalf of a Customer in the District of Columbia, the following provisions shall apply to the extent required by applicable law:

  1. Personally Identifiable Student Information that STF processes on behalf of Customer is Customer Content and under the control of Customer.

Idaho

With respect to Student Data (as defined in Idaho Code Ann. § 33-133) that STF processes on behalf of a Customer in Idaho, the following provisions shall apply to the extent required by applicable law:

  1. STF is permitted to use Aggregated and De-identified Data, as disclosed in the DPA and the Agreement, as applicable.
  2. STF is permitted to use Student Data for secondary uses with consent of a student’s parent or guardian and as disclosed in accordance with the DPA and the Agreement, as applicable.
  3. STF shall not use (including for marketing or advertising purposes) or sell Student Data except as specified in the DPA or with express prior parental consent.

Illinois

With respect to Covered Information (as defined in 105 Ill. Comp. Stat. Ann § 85/5) that STF processes on behalf of a Customer in Illinois, the following provisions shall apply to the extent required by applicable law:

  1. The types of Covered Information for which STF may act as a processor on behalf of Customer under the Agreement are specified in the DPA and any notice of practices relating to children’s privacy, as applicable.
  2. The Service provided to Customer by STF is specified in the Agreement.
  3. STF and Customer access to and use and disclosure of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to FERPA, in accordance with the terms of the DPA.
  4. Procedures in the event of a security breach shall be in accordance with the terms of the DPA; provided that, if the security breach is attributed to STF, any costs and expenses incurred by the Customer in investigating and remediating the breach will be allocated between STF and the Customer.
  5. STF’s retention of Covered Information shall be in accordance with the DPA and any notice of practices relating to children’s privacy, as applicable.
  6. STF agrees that Customer may publish a redacted copy of the Agreement and DPA on its website and/or make the documents available for inspection by the general public at its administrative office, as applicable.

Louisiana

With respect to Personally Identifiable Information (as defined in La. Stat. Ann. § 17:3914(B)(1)) that STF processes on behalf of a Customer in Louisiana, the following provisions shall apply to the extent required by applicable law:

  1. STF shall limit access to Personally Identifiable Information it processes on behalf of Customer in accordance with the DPA and any notice of children’s privacy practices.
  2. STF shall comply with the standards governing the privacy and security of Personally Identifiable Information as set forth in the DPA and any notice of children’s privacy practices.
  3. Privacy and security audits performed by Customer’s superintendent shall be completed in accordance with the DPA.
  4. Procedures for unauthorized disclosure of Personally Identifiable Information shall be in accordance with the terms of the DPA.
  5. STF’s retention of Personally Identifiable Information shall be limited in accordance with the terms of the Agreement, DPA, and any notice of children’s privacy practices, as applicable.
  6. STF’s disposal of Personally Identifiable Information shall be done in accordance with the terms of the Agreement, DPA, and any notice of children’s privacy practices, as applicable.

Minnesota

With respect to Educational Data (as defined in Minn. Stat. § 13.32) that STF processes on behalf of a Customer in Minnesota, the following provisions shall apply to the extent required by applicable law:

  1. STF shall limit access to Educational Data it processes on behalf of Customer in accordance with the DPA and any notice of children’s privacy practices.

Montana

With respect to Pupil Records (as defined in Mont. Code Ann § 20-7-1324(6)) that STF processes on behalf of a Customer in Montana, the following provisions shall apply to the extent required by applicable law:

  1. Pupil Records that STF processes on behalf of Customer are the property of and under the control of Customer, except an Authorized User may retain possession and control of Authorized User-Generated Content where the Authorized User opens a personal account.
  2. STF shall limit its use of Pupil Records to those purposes specified in the Agreement, the DPA, and any notice of children’s privacy practices.
  3. Procedures for the review and correction of Pupil Records shall be in accordance with the DPA.
  4. STF shall implement, maintain, and use reasonable measures to ensure the security and confidentiality of Pupil Records as specified in the DPA.
  5. Procedures for notification in the event of unauthorized disclosure of Pupil Records shall be in accordance with the terms of the DPA.
  6. STF certifies that retention of Pupil Records shall be limited in accordance with the terms of the DPA.
  7. STF’s and Customer’s access to and use of Education Records and Personally Identifiable Information (as defined in FERPA) shall be subject to the terms of the DPA.
  8. STF shall not use Personal Data in Pupil Records to engage in targeted advertising.

New York

With respect to personally identifiable information (as defined in N.Y. Comp. Codes R. & Regs. tit. 8, § 121.1(m)) (“NY PII”) that STF processes on behalf of a Customer in New York, the following provisions shall apply to the extent required by applicable law (for the avoidance of doubt, NY PII is a subset of Personal Data as defined in the Agreement):

  1. STF certifies that its technologies, safeguards and practices align with the NIST Cybersecurity Framework.
  2. STF shall comply in all material respects with Customer’s data security and privacy policy and applicable state and federal laws.
  3. STF shall limit access to NY PII it processes on behalf of Customer in accordance with the DPA and any notice of practices relating to children’s privacy.
  4. STF shall limit its use of NY PII to those purposes specified in the Agreement, DPA, and any notice of practices relating to children’s privacy.
  5. STF shall not disclose NY PII except in accordance with the DPA and any notice of practices relating to children’s privacy.
  6. STF shall implement, maintain, and use reasonable measures that are designed to ensure the security and confidentiality of NY PII as specified in the DPA.
  7. STF shall use encryption to protect electronic NY PII in transit or in storage.
  8. STF shall not sell NY PII and shall limit its use and disclosure of NY PII in accordance with the DPA and any notice of practices relating to children’s privacy.
  9. Data Security and Privacy Plan
    1. STF will implement applicable data security and privacy requirements as specified in the DPA.
    2. STF shall implement, maintain, and use reasonable measures that are designed to ensure the security and confidentiality of NY PII as specified in the DPA.
    3. A parent’s bill of rights is incorporated as part of this addendum and STF shall comply in all material respects with its terms, as set forth in Annex B.
    4. STF shall train its officers and employees on applicable laws prior to granting access to Authorized User data as specified in the DPA.
    5. STF shall require that Sub-processors protect NY PII and manage breaches and unauthorized disclosure as specified in the DPA.
    6. STF shall manage data security and privacy incidents as specified in the DPA. Procedures for notification in the event of breaches and unauthorized disclosures shall be in accordance with the terms of the DPA.
    7. STF retention of NY PII shall be limited in accordance with the DPA.

Ohio

With respect to Education Records (as defined in Ohio Rev. Code § 3319.325(A)) that STF processes on behalf of a Customer in Ohio, the following provisions shall apply to the extent required by applicable law:

  1. STF shall limit access to Education Records it processes on behalf of Customer in accordance with the DPA and any notice of children’s privacy practices.

Utah

With respect to Student Data (as defined in Utah Code Ann. § 53E-9-301(17)) that STF processes on behalf of a Customer in Utah, the following provisions shall apply to the extent required by applicable law:

  1. STF shall limit its collection, use, storage, and sharing of Student Data to those purposes specified in the Agreement, DPA, and any notice of practices relating to children’s privacy, as applicable.
  2. Processing of Student Data by Sub-processors shall be in accordance with the DPA and any notice of practices relating to children’s privacy, as applicable.
  3. STF’s retention of Student Data shall be limited in accordance with the terms of the Agreement, DPA, and any notice of practices relating to children’s privacy, as applicable.
  4. STF shall not use Student Data for purposes other than those specified in the Agreement and DPA, for purposes permitted by Utah Code Ann. § 53E-9-309(4), or as requested by the Customer.
  5. STF agrees that, at Customer’s request, Customer or Customer’s designee may conduct an audit of STF, in accordance with this DPA, to verify compliance with the Agreement and Data Processing Agreement to the extent required by Utah Code Ann. § 53E-9-309.

Virginia

With respect to Student Personal Information (as defined in Va. Code Ann. § 22.1-289.01) that STF processes on behalf of a Customer in Virginia, the following provisions shall apply to the extent required by applicable law:

  1. The types of Student Personal Information for which STF may act as a processor on behalf of Customer shall be specified in the DPA and any notice of practices relating to children’s privacy, as applicable.
  2. Privacy of Student Personal Information processed by STF on behalf of Customer shall be subject to the DPA and any notice of practices relating to children’s privacy, as applicable, and notification of material changes shall be in accordance with the DPA.
  3. STF shall maintain reasonable measures to ensure the security, privacy, confidentiality, and integrity of Student Personal Information as specified in the DPA.
  4. Procedures for access to and the review and correction of Student Personal Information shall be in accordance with the DPA and any notice of practices relating to children’s privacy, as applicable.
  5. STF shall not collect, maintain, use, or share Student Personal Information except for purposes specified in the Agreement, DPA, and/or any notice of practices relating to children’s privacy, except with consent of the Customer or student’s parent or legal guardian, as applicable.
  6. STF shall require that its Sub-processors of Student Personal Information on behalf of Customer comply with STF’s policies and security measures in accordance with the DPA.
  7. STF’s retention of Student Personal Information shall be limited in accordance with the terms of the DPA and any notice of practices relating to children’s privacy, as applicable.
  8. STF shall not use Student Personal Information to engage in targeted advertising to students.
  9. STF shall not use Student Personal Information to create a personal profile of a student, except for the purposes specified in the Agreement, DPA, and any notice of practices relating to children’s privacy, as applicable.
  10. STF shall not knowingly sell Student Personal Information except to the extent that STF is sold to or acquired by a successor entity that purchases, merges with, or otherwise acquires STF.

Annex A

Security Measures

As from the Effective Date, STF will implement and maintain the Security Measures as set out in this Annex.

  1. Dedicated staff responsible for the development, implementation and maintenance of STF’s information security program.
  2. Data security controls which include at a minimum: logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially reasonable encryption technologies for Personal Data.
  3. Logical access controls designed to manage electronic access to data and system functionality, based on authority levels and job functions.
  4. Student passwords are set by Customer staff. Only Customer staff can reset passwords via email authorization.
  5. System audit or event logging and related monitoring procedures to proactively record Authorized User access and system activity.
  6. STF monitors and maintains all devices issued to STF personnel using asset-management and location-tracking tools, enforcing baseline controls (full-disk encryption, screen auto-lock, current security patches, and host firewall). Before any device or media is reassigned or leaves STF possession, data is sanitized using industry-standard methods (e.g. NIST SP 800-88 Clear/Purge/Destroy), access artifacts are revoked, and inventory records are updated. Final disposal is performed by certified e-waste providers, and proof of destruction is retained.
  7. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to STF’s technology and information assets.
  8. Incident management procedures designed to allow STF to investigate, respond to, mitigate and notify of events related to STF’s technology and information assets.
  9. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
  10. Business resiliency/continuity and/or disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.

Annex B

PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY

Pursuant to Section 2-c and 2-d of the Education Law, parents and students are entitled to certain protections regarding confidential student information. STF is committed to safeguarding personally identifiable information from unauthorized access or disclosure as set forth below:

  1. A student's personally identifiable information cannot be sold or released for any commercial purposes;
  2. Parents have the right to inspect and review the complete contents of their child's education record;
  3. STF is committed to implementing safeguards associated with industry standards and best practices under state and federal laws protecting the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred;
  4. A complete list of all student data elements collected by the State is available for public review at http://www.p12.nysed.gov/irs/vendors/templates.html or by writing to the NYS Education Department, Information & Reporting Services, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234;
  5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints may be submitted to NYS Education Department by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to privacy@nysed.gov; or by telephone at 518-474- 0937;
  6. STF has entered into contracts with certain schools/districts who have shared student data and/or teacher data and/or principal data. The following information about such data appears in the Agreement with the school/district as required by law:
    • The exclusive purpose(s) for which the data will be used;
    • The commencement and termination dates of each such agreement;
    • A description of how the data will be disposed by STF when the contract purpose has been fulfilled;
    • The data storage and security measures undertaken.
  7. STF will abide by data protection and security requirements;
  8. A parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected by filing a written request with a valid employee of the student’s school district.

© 2026 Stanford Taylor Foundation. All rights reserved.

Dedicated to preventing vision-related learning problems and helping students succeed.