Skip to main content
Skip table of contents

Render Data Privacy Addendum

Effective Date: June 7, 2024

(Summary of changes)

Modeled after Version 2.0 of the Student Data Privacy Consortium's Model Contract

This DATA PRIVACY ADDENDUM ("Addendum") is entered into by and between you and Chan Zuckerberg Initiative (“CZI”) on the Effective Date ("Parties"). The Parties agree to the terms as stated herein. Capitalized terms used but not defined herein shall have the meanings set forth in the Render User Agreement (“Agreement”). This Addendum constitutes part of and should be read consistently with the Agreement.

1. PURPOSE AND SCOPE

1.1 Purpose of Addendum

The purpose of this Addendum is to describe the duties and responsibilities to protect Student Data (defined below) transmitted to CZI from the School and its Participants pursuant to the Agreement, including compliance with applicable federal and state privacy statutes. 

As used in this Addendum, “Student Data” means any data, whether gathered by CZI or provided by School and its Participants, that is directly related to a Student, as more fully described in sections 1 and 2 of the Privacy Policy. Student Data includes Student login credentials and passwords (if any), Student authentication tokens or security devices used for student Service or infrastructure access, and also constitutes Student Records for the purposes of this Addendum. “Student Records” includes any information that directly relates to a Student that is maintained by School and any information acquired directly from the Student through the use of instructional software or applications assigned to the Student by School (including Render tools). Student Data does not include information that has been anonymized, De-Identified Data, or anonymous usage data regarding a Student's use of the Services. “De-Identified Data” is information that has all direct and Indirect Identifiers removed such that the data cannot reasonably be used to identify or contact a Student. Finally, “Indirect Identifiers” means any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a Student to a reasonable certainty. When anonymous or non-personal information is directly or indirectly linked with personal information, this anonymous or non-personal information is also treated as personal information. Persistent identifiers that are not anonymized, de-identified or aggregated are personal information. 

1.2 Nature of Services Provided

As fully described in the Agreement, CZI has agreed to provide Render and any other products and services that CZI may choose to provide now or in the future (collectively, the "Services"). 

1.3 Student Data to Be Provided

In order to use the Services, School and its Participants may provide the categories of Student Data described in section 2 of the Privacy Policy. 

Summary: This Addendum describes how we are both required to protect Student Data, including personally identifiable information of a Student. Student Data means any information related to a Student. It does not include De-Identified Data, which is data that has had all identifying information removed so it cannot reasonably be used to identify or contact a student. The Privacy Policy identifies the specific types of student data and personally identifiable information that may be provided when using the services. 

2. DATA OWNERSHIP AND AUTHORIZED ACCESS

2.1 Student Data is Property of School

All Student Data or any other Student Records transmitted to CZI pursuant to the Agreement are and will continue to be the property of, and under the control of, the School, or the party who provided such Student Data or Student Records (such as the Student or Caregiver). The Parties agree that as between them, all rights, including all intellectual property rights in and to Student Data or any other Student Records contemplated per the Agreement shall remain the exclusive property of the  School or the party who provided such Student Data or Student Records (such as the Student or Caregiver). This Addendum is entered into pursuant to the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g (“FERPA”). For the purposes of FERPA, to the extent Personally Identifiable Information (as defined below) from Education Records (as defined by FERPA) is transmitted from School to CZI, CZI shall be considered a School Official (defined below) with a legitimate educational interest, under the direct control of the School as it pertains to the use of Education Records notwithstanding the above. CZI shall, at the School's request, provide for review of Student Data or Student Records within thirty (30) days following a written request. 

School Official” means, for the purposes of this Addendum and pursuant to FERPA, a contractor that: (1) performs an institutional service or function for which the agency or institution would otherwise use employees; (2) is under the direct control of the agency or institution with respect to the use and maintenance of Education Records; and (3) is subject to FERPA’s terms governing the use and re-disclosure of Personally Identifiable Information from Education Records. “Personally Identifiable Information” shall have the meaning as defined in 34 C.F.R. § 99.3 or as otherwise defined by applicable state law. 

While the Children’s Online Privacy Protection Act, 15 U.S.C. 6501-6502 (“COPPA”) does not apply to nonprofit organizations like CZI, we take privacy seriously and have chosen to inform our practices with COPPA. To the extent this Addendum could be informed by COPPA, the School consents on behalf of Students’ Caregivers to the collection of Student Data as provided in the Agreement, this Addendum, the Direct Notice to Educational Institutions, and our Privacy Policy. CZI agrees to use Student Data solely for the use and benefit of the School, and for no other commercial purpose.

2.2 Provide Data In Compliance With Applicable Law

School shall provide Student Data or any other Student Records, for the purposes of the Agreement, in compliance with any applicable state or federal laws and regulations (including FERPA and COPPA) pertaining to data privacy and security applicable to School. If School provides Education Records to CZI, School represents, warrants, and covenants to CZI, as applicable, that School has: 

  1. complied with all applicable provisions of FERPA relating to disclosures about school officials with a legitimate educational interest, including, without limitation, informing parents in the School’s annual notification of FERPA rights that the School defines "school official" to include service providers and defines "legitimate educational interest" to include services such as the type provided by CZI.; or

  2. obtained all necessary parental or eligible student written consent or provided all necessary notice to share Student Data with CZI, in each case, solely to enable CZI’s operation of the Services, as may be required of School by law..

CZI has provided School a copy of the Privacy Policy as well as the Direct Notice for Educational Institutions. CZI recommends School provide copies of the Privacy Policy and the Direct Notice for Educational Institutions to parents. CZI will presume that School has obtained parental consent for our processing of personal, and CZI encourages School to obtain parental consent prior to using the Render services. CZI agrees to provide reasonable assistance to School to obtain parental consent on request, such as by providing template consent forms.

2.3 Parent or Legal Guardian Access

As set forth in applicable law, School shall establish reasonable procedures by which a Caregiver or Student may review and request amendment of the related Student's Student Records and correct erroneous information, consistent with the functionality of the Service. CZI shall respond within 30 days to the School's written request for Student Records held by CZI to view or amend as necessary. In the event that a Caregiver of a Student or other individual contacts CZI to review any of the Student Records or Student Data accessed pursuant to the Services, CZI shall refer the Caregiver or individual to the School. In such an event, School shall follow its necessary and proper procedures regarding the requested information. 

2.4 Third Party Request

Should any person other than CZI, School, a Participant, or a Service Provider (“Third Party”), contact CZI with a request for Student Data held by CZI pursuant to the Services, CZI shall redirect the Third Party (including law enforcement and government entities) to request the Student Data directly from the School. CZI shall notify the School in advance of any compelled disclosure to a Third Party, unless legally prohibited. For purposes of this Addendum, a Service Provider is a person who CZI uses for data collection, analytics, storage, or other service to operate and/or improve Render, and who has access to Personally Identifiable Information including Student Data.

2.5 No Unauthorized Use

CZI shall not use Personally Identifiable Information from Student Data, or in a Student Record, for any purpose other than as explicitly specified in the Privacy Policy and Agreement. 

2.6 Service Providers

CZI may use Service Providers in order to perform its duties under the Agreement. CZI shall enter into written agreements with all Service Providers that provide protections of personal information at least as strong as the protections described herein and shall be responsible for any actions of Service Providers that would be a breach of this Addendum. 

Summary: We will not use student personal information in any unauthorized way other than as stated in this Addendum. Student information and student records submitted through Render will remain the property of the School or the person who provided them. Any requests by Caregiver and eligible students to review and correct student records must be made through the School. It’s the School’s responsibility to provide a reasonable procedure for this review. Unless legally prohibited, Third party requests for student information will be directed to the School. 

3. DUTIES OF SCHOOL

3.1 Reasonable Precautions

School shall take reasonable precautions to secure account credentials and any other means of gaining access to the Services and Student Data in accordance with the Agreement, this Addendum and applicable law. 

3.2 Unauthorized Access Notification

School shall notify CZI immediately of any known or suspected unauthorized use or access of the Services or Student Data. School will assist CZI in any efforts by CZI to investigate and respond to any unauthorized use or access. 

3.3 School Leader 

The School Leader entering into the Agreement shall serve as the representative of the School for the coordination and fulfillment of the duties of this Addendum. 

Summary: The school agrees to provide student information in ways that follow state and federal laws, including FERPA. The school will take precautions to keep account credentials secure. If there is a breach in the security of accounts or student information, the school will notify CZI immediately and assist CZI in investigating and responding to unauthorized use or access. The School Leader will serve as a representative of the school. 

4. DUTIES OF CZI

4.1 Privacy Compliance

CZI shall comply with all state and federal laws and regulations related to privacy and security and applicable to Schools and/or CZI in providing the Services to School. 

4.2 Authorized Use

Student Data shared pursuant to the Agreement, including persistent unique identifiers that are personally identifiable, shall be used for no purpose other than the Services, for the uses set forth in the Agreement, for School support and development across and among CZI platforms and services,  and/or as otherwise legally permissible. The foregoing limitation does not apply to any De-Identified Data. 

4.3 Staff Obligation

CZI shall require all employees, staff, agents, and Service Providers who have access to Student Data to comply with all applicable laws with respect to the Student Data shared under the User Agreement. CZI agrees to require and maintain written confidentiality obligations from each of its employees, staff, agents, or Service Providers with access to Student Data pursuant to the User Agreement. 

4.4 No Disclosure

CZI shall not disclose any Student Data obtained under the User Agreement in a manner that directly identifies an individual student to any other entity except as authorized by the User Agreement, or as required by law. CZI will not Sell Student Data. “Sell” (consistent with the Student Online Privacy Protection Act, California Business and Professions Code section 22584 (“SOPIPA”) and the Student Privacy Pledge) does not include or apply to the purchase, merger, or other type of acquisition of a company by another entity, provided that the company or successor entity continues to treat the personal information in a manner consistent with the Student Privacy Pledge with respect to the previously acquired personal information. Additionally, CZI will not disclose, trade, or transfer Student Data to any third parties, except with the prior written consent of the School. The prohibition on disclosing, trading, or transferring Student Data does not apply to the access to or disclosure of Student Data (a) to School or School Leaders, (b) to authorized Participants, (c) to Caregivers, (d) to and among affiliated CZI organizations for the purposes of providing and improving Partner School support, product analytics and development, and other internal usage as permitted by law, (e) as authorized by a parent, legal guardian or eligible student, (f) as permitted by law or (g) to Service Providers, in connection with operating or improving the Services. The list of CZI's Service Providers can be accessed through the Privacy Policy

4.5 De-Identified Data

CZI may create De-Identified Data, and De-Identified Data may be used for any lawful purpose including, but not limited to, operating, improving, and developing CZI’s educational sites, services, or applications. CZI's use of such De-Identified Data shall survive termination of this Addendum or any request by School to return or destroy Student Data. 

4.6 Disposition of Student Data and Student Records

CZI will delete Participant accounts if we receive a written request from a Student, Educator, or School Leader. However, some information may remain on logs or encrypted backup storage copies until they are deleted. Further, CZI may retain information to comply with our legal obligations or to protect the safety and security of our Participants or our Services, for example, in cases of past policy and content violations or due to a request from law enforcement. Such information will be disposed of or deleted when it is no longer needed for the purpose for which it was retained. Disposition shall include (1) the shredding of any hard copies of any Personally Identifiable Information contained in Student Data and Student Records; (2) erasing any Personally Identifiable Information contained in Student Data and Student Records; or (3) otherwise modifying the Personally Identifiable Information contained in Student Data and Student Records to make it unreadable, indecipherable or de-identified. CZI shall provide written notification to the School’s representative when the Personally Identifiable Information contained in the Student Data and Student Records has been disposed of. The duty to dispose of Student Data and Student Records shall not extend to De-Identified Data.

Deletion Request from Student: If a Student requests deletion of a Student Account, that account will be removed from Render after verifying the request. In parallel, CZI shall notify the Educator and the School Leader who will have thirty (30) days from the date of receiving such notice to request any Student Data and Student Records from the Student Account (“Transfer Period”). CZI shall dispose of or delete the Student Account thirty (30) days after the end of the Transfer Period.

Deletion Request from Educator: If an Educator  requests deletion of a Student Account (on behalf of a Student or Parent), or the account of the Educator and all associated Student Accounts, those accounts will be removed from Render after verifying the request. In parallel, CZI shall notify the School Leader. CZI shall dispose of or delete the account(s) thirty (30) days after the end of the Transfer Period.

Deletion Request from School Leader: If a School Leader requests the deletion of any accounts associated with their School, CZI shall delete such accounts, or dispose of or delete all Personally Identifiable Information contained in Student Data and Student Records thirty (30) days after verifying such written request by the School Leader, or as required by law, and according to a schedule and procedure as CZI and the School may reasonably agree.

Transfer of Student Data and Student Records: If a written request is received from a School Leader prior to a deletion request or during the Transfer Period, CZI shall transfer the Student Data and Student Records to the School Leader or other designee within thirty (30) days of verifying such written request by the School Leader, or as required by law, and according to a schedule and procedure as CZI and the School Leader may reasonably agree. If no written request is received during the Transfer Period, CZI shall delete the Participant Account, or dispose of or delete all Personally Identifiable Information contained in Student Data and Student Records at the earliest of (a) thirty days after the end of the Transfer Period; (b) when it is no longer needed for the purpose for which it was obtained or (c) as required by applicable law.

4.7 Advertising Prohibition

CZI shall not use Personally Identifiable Information contained in Student Data to (a) serve Behaviorally Targeted Advertising (defined below) to Students or their Parents or any other user; or (b) develop a profile of a Student or any other user for any commercial purpose other than providing the Services to School or as set forth in the User Agreement. CZI shall not use or disclose Personally Identifiable Information contained in Student Data for Third-Party Advertising. 

As used in this Addendum, “Behaviorally Targeted Advertising” means presenting an advertisement to a Student where the selection of the advertisement is based on Student Data or Student-Generated Content or inferred over time from the usage of CZI's website, online service or mobile application by such student or the retention of such Student’s online activities or requests over time and across non-affiliate websites for the purpose of targeting subsequent advertising. “Student-Generated Content” means materials or content created by a Student during and for the purpose of education including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of such content. “Third-Party Advertising” means direct advertising of third parties (i.e. not Participants) and their products or services on our Services (e.g., such as when an advertiser would bid to place an advertisement directly on a platform). CZI does not allow third parties to advertise directly on its Services in user logged in areas of the Services, nor does CZI sell advertising space in logged in areas on the Service. CZI also does not use third-party ad servers (such as Google AdWords or AdSense) in user logged in areas of the Service. 

Summary: Students’ personal information will only be used as needed to provide educational services. CZI will not share or sell students’ personal information or use it for targeted advertising. Schools can request that all personal information be deleted or disposed of. De-identified information (data that has had all identifying information removed so it cannot reasonably be used to identify or contact a student) can be used for any lawful purpose.

5. DATA PROVISIONS

CZI's core security commitments are set forth below and we commit to maintaining this baseline. For more information regarding CZI's current security practices, see the Security Overview. 

5.1 Data Security

CZI agrees to store and process data by employing administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, and use or acquisition by an unauthorized person, including when transmitting and storing such information. Currently, CZI implements security practices identified in our Security Overview. These measures shall include, but are not limited to: 

  1. CZI shall implement strong authentication methods including multi-factor authentication (MFA) with strong password complexity for all employees and contractors. These methods meet or exceed Article 4.3 of NIST 800-63-3. 

  2. CZI shall limit access to Student Data to employees, agents, staff, and Service Providers who need access in order for CZI to provide the Services. To the extent permissible by law, CZI shall conduct criminal background checks of employees prior to providing access to Student Data and prohibit access to Student Data by any person with criminal or other relevant unsatisfactory information that presents an unreasonable risk to School or its Students. 

  3. CZI shall destroy or delete all Personally Identifiable Information contained in Student Data obtained under the User Agreement as set forth in Section 4.6 hereof. 

  4. CZI shall employ a strong modern encryption technology designed to securely transmit (encryption in transit) and store (encryption at rest) all Student Data. CZI shall maintain all Student Data obtained or generated pursuant to the User Agreement in a secure computing environment and shall not copy, reproduce, or transmit data obtained pursuant to the User Agreement, except as necessary to fulfill the purpose of data requests by School or as otherwise set forth in the User Agreement. 

  5. CZI shall create a secured data backup and recovery capability that is designed to ensure an effective, timely and accurate restoration of all Student Data. The capability will be designed to minimize the amount of Student Data loss in the event of some form of catastrophic failure. For further protection, those backups will be encrypted and are stored in a different region. 

  6. CZI shall adopt and maintain a secure software development lifecycle which will incorporate security practices such as penetration testing, code reviews and architecture analysis as essential functions of the development effort. Any identified security vulnerability will be remediated in a timely manner. 

  7. CZI shall provide periodic security training to those of its employees and staff who have access to Student Data. 

  8. CZI shall enter into written agreements whereby Service Providers agree to prevent unauthorized access and use of Student Data in a manner consistent with the terms of this Section 5.1. CZI shall periodically review such compliance of Service Providers. 

In the event Schools have questions regarding Data Privacy or Security, they may contact our team at privacy@buildwithrender.org. Vulnerabilities can be responsibly disclosed by contacting security@buildwithrender.org

5.2 Incident Response and Security Governance

In addition to those security measures described in Section 5.1, CZI also implements an incident response and security governance program, which: 

  1. Maintains availability for the Services through event monitoring and response procedures for all site outages or any observable occurrences, including automated site outage notifications. 

  2. Implements incident response policies, plans and procedures focused on timely and effective incident response. 

  3. Restricts network and physical access to infrastructure for the Services. We also leverage services to monitor for suspicious activity and employ professionals with training in security incident detection and response. More information about our infrastructure can be found in the Security Overview. 

  4. Implements oversight and governance procedures for security risks and vulnerabilities, including a Vulnerability Disclosure Program and mandatory reviews of any incidents affecting the Services. 

5.3 Data Breach

In the event that CZI becomes aware of an unauthorized disclosure of or access to Student Data (a "Security Incident"), CZI shall provide notice to the School without undue delay or as required by the applicable state law (each, a "Security Incident Notification"). 

  1. Unless otherwise required by the applicable law, the Security Incident Notification shall be written in plain language, shall be titled "Notice of Data Breach," and shall present the information described herein under the following headings: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." Additional information may be provided as a supplement to the notice. 

  2. The Security Incident Notification described above in Section 5.2(a) shall include such information required by the applicable state law and the following information: 

    1. The name and contact information of the reporting School subject to this section. 

    2. A list of the types of Personally Identifiable Information that were or are reasonably believed to have been the subject of the Security Incident. 

    3. If the information is known at the time the Security Incident Notification is provided, then either (1) the date of the Security Incident, (2) the estimated date of the Security Incident, or (3) the date range within which the Security Incident occurred. The Security Incident Notification shall also include the date of the notice. 

    4. Whether, to the knowledge of CZI at the time notice is provided, the notification was delayed as a result of a law enforcement investigation or request. 

    5. A general description of the Security Incident, if that information is possible to determine at the time the notice is provided. 

  3. At CZI's discretion, the Security Incident Notification may also include any of the following: 

    1. Information about what CZI has done to protect individuals whose Personally Identifiable Information has been breached by the Security Incident. 

    2. Advice on steps that the person whose Personally Identifiable Information has been breached may take to protect themselves. 

  4. To the extent required by the applicable state law, CZI shall seek to notify the affected parent, legal guardian or eligible student of the Security Incident, which shall include as applicable the information listed in subsections (b) and (c), above. 

Summary: CZI will work to protect student information from unauthorized access by employing administrative, physical, and technical safeguards. These include:

  • using strong authentication methods,

  • limiting who has access to student data,

  • destroying or deleting personal information as needed,

  • using strong encryption technology,

  • using secured data backup and recovery capability,

  • maintaining a secure software development lifecycle,

  • providing security training to employees and staff, and

  • requiring Service Providers to follow similar terms.

If there is a data breach, CZI will provide notice to the school as required by law. 

6. MISCELLANEOUS

6.1 Term

Except as otherwise stated herein, CZI shall be bound by this Addendum for the duration of the User Agreement or a longer period as required by law. 

6.2 Termination

Except as otherwise stated herein, CZI shall be bound by this Addendum for the duration of the User Agreement or a longer period as required by law. 

6.3 Effect of Termination 

If the User Agreement is terminated and no other agreement between School and CZI is in effect through other Educators or School Leaders, CZI shall dispose of all of School's Personally Identifiable Information contained in Student Data pursuant to Section 4.6. 

6.4 Priority of Agreements

This Addendum shall govern the treatment of Student Data. With respect to the treatment of Student Data, in the event there is conflict between the terms of this Addendum and the User Agreement, or any other agreement between the School and CZI, the terms of this Addendum shall apply and take precedence. Except as described in this paragraph, all other provisions of the User Agreement shall remain in effect. 

6.5 Notice

All notices or other communication required or permitted to be given hereunder must be sent to School or CZI, as applicable, as provided in the User Agreement.

Appendix A - Certain State-Specific Terms, to Exhibit 1, Data Privacy Addendum

This document, Appendix A, Certain State-Specific Terms (“Appendix”) is incorporated as Exhibit 1 to the Render Data Privacy Addendum (“DPA”) of the User Agreement. Capitalized terms used but not defined herein shall have the meanings set forth in the User Agreement. 

Colorado

CZI complies with all applicable requirements of Colorado’s Student Data Transparency and Security Act, C.R.S. 22-16-101, et seq.

Connecticut

The Render User Agreement, incorporating the RenderDPA and this Appendix constitutes the written agreement mandated by the Connecticut Act Concerning Student Data Privacy, Conn. Gen. Stat. Ann. § 10-234aa-dd. As applicable, where CZI processes Student Data from Connecticut, the following provisions shall be incorporated into the Render DPA:

  1. As set forth in section 7.1 of the Render User Agreement, the laws of the state of Connecticut shall govern the rights and duties of CZI and the School; and

  2. As set forth in section 7.3 of the Render User Agreement, if any provision of the Agreement or the application of the Agreement is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the Agreement which can be given effect without the invalid provision or application.

Illinois

The Render User Agreement, incorporating the Render DPA and this Appendix constitutes the written agreement mandated by the Illinois Student Online Personal Protection Act (“SOPPA”), codified at 105 ILCS 85/5. The following is incorporated into the Agreement:

  1. A listing of the categories or type of information to be provided to CZI is available for public review in section 2 of the Render Privacy Policy; 

  2. Pursuant to and as fully described in the Render User Agreement, CZI has agreed to provide Render, including its website, features, and related services accessed through Render (collectively “Services”) to the School;

  3. If a “Security Incident”, as defined in section 5.3 of the Render DPA, is primarily attributable to CZI, CZI shall subject to section 4.2 of the Render User Agreement, reimburse and indemnify School for any and all costs and expenses that the School incurs with:  (a) providing notification to the parents of those students whose Student Data was compromised and regulatory agencies or other entities as required by law or contract; (b) audit costs, fines, and any other fees or damages imposed against the School as a result of the security breach; and (c) providing any other notifications or fulfilling any other requirements adopted by the Illinois State Board of Education or under other State or federal laws;

  4. The School shall notify CZI when the Student Data it has provided pursuant to the DPA is no longer needed for the School’s purpose(s) under the Agreement and this DPA. If any of the Student Data is no longer needed for purposes of the Agreement and this DPA, CZI will delete or transfer Student Data as set forth in section 4.6 of the DPA. CZI will comply with School’s request and delete or transfer the Student Data within a reasonable time period, not to exceed 30 days after verifying the written request, and according to a schedule and procedure as CZI and the School may reasonably agree.    

  5. Pursuant to SOPPA, School shall publish on its website a copy of the Along DPA, including this Appendix.

Kentucky

The Render User Agreement, incorporating the Render DPA and this Appendix constitutes the written agreement mandated by Kentucky Revised Statutes 365.734, and CZI certifies to the following statements:

  1. As set forth in section 4.2 of the Render DPA, CZI shall not process Student Data other than providing, improving, developing, or maintaining the integrity of the Services to the School as authorized pursuant to the Agreement. The Render User Agreement and the Render Privacy Policy set forth the exclusive purposes for which the Student Data will be used by CZI;

  2. As set forth in section 4.7 of the Render DPA and sections 2.3 and 2.4 of the Render Privacy Policy, CZI shall not process Student Data to advertise or facilitate advertising or to create or correct an individual or household for any advertisement purpose, and shall not sell, disclose or otherwise process Student Data for any commercial purpose.

Nevada, North Carolina, Oklahoma, and West Virginia 

The Along User Agreement, incorporating the Along DPA and this Appendix constitutes the written agreement mandated by Nevada Revised Statute 388.272, North Carolina General Statutes §115C-402.5(b)(6), Oklahoma Statutes § 70-3-168, and West Virginia  Code § 18-2-5h, and includes the following statements:

  1. CZI’s commitments to protect the privacy and security of Student Data are set forth in the Render DPA, including section 5, and are outlined in the RenderPrivacy Policy; and

  2. CZI acknowledges it may face potential liability as a penalty for intentional or grossly negligent noncompliance with this Agreement, including termination of the Agreement and payment of monetary damages, subject to section 4.2 of the Render User Agreement, for any breach of the terms of this Agreement that cause actual harm to the School.

New York 

The Render User Agreement, incorporating the Render DPA and this Appendix constitutes the written agreement mandated by New York State Education Law § 2-d (“Section 2-d”), and Part 121 of the New York State Education Department (“NYSED”) regulations implementing Section 2-d.

New York's Parents Bill of Rights for Data Privacy and Security is incorporated into the Agreement and CZI agrees and acknowledges that:

  1. A student's personally identifiable information cannot be sold or released for any commercial purposes;

  2. Parents have the right to inspect and review the complete contents of their child's education record that is shared with or collected by CZI;

  3. CZI complies with all applicable state and federal laws that protect the confidentiality of personally identifiable information, and employs safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, when data is stored or transferred;

  4. A complete list of all student data elements collected by CZI is available for public review in the Render Privacy Policy; and 

  5. Parents have the right to have complaints about possible breaches of student data addressed. CZI will promptly address any such complaints directed to privacy@buildwithrender.org

  6. The Render User Agreement and the Render Privacy Policy set forth the exclusive purposes for which the student data or teacher or principal data will be used by CZI; 

  7. CZI may disclose the student data or teacher or principal data to subcontractors, or other authorized persons or entities (“Service Providers”) in order to perform its duties under the Render User Agreement. CZI shall enter into written agreements with all Service Providers and shall be responsible for any actions of Service Providers that would be a breach of this document.

  8. The Render DPA and Render Privacy Policy set forth the time period, not to exceed 60 days, and process by which CZI will either delete or transfer personally identifiable information upon the expiration of the contract or when requested to do so by notification from the contracting party;

  9. A parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected by CZI;

  10. Where required by applicable law, all student data or teacher or principal data will be stored within the United States and protected by employing administrative, physical, and technical safeguards designed to protect it from unauthorized access, disclosure, and use or acquisition by an unauthorized person, including when transmitting and storing such information.

  11. The data will be protected using encryption while in transit and at rest.

  12. For purposes of compliance with NYSED regulation Part 121.6 implementing Section 2-d, details of CZI’s data privacy and security plan can be found in our Security Overview.

Rhode Island

The Render User Agreement, incorporating the Render DPA and this Appendix constitutes the written agreement mandated by Rhode Island HB 7124, as codified by General Laws § 16-104-1, and certifies to the following statements:

  1. As set forth in section 4.2 of the Render DPA, CZI shall process data of a student enrolled in kindergarten through twelfth (12th) grade (“Student Data”) for the sole purpose of providing the Services to the School as authorized pursuant to the Agreement. The Render User Agreement and the Render Privacy Policy set forth the exclusive purposes for which the Student Data will be used by CZI;

  2. As set forth in sections 2.1 and 4.7 of the Render DPA and section 2.4 of the Render Privacy Policy, CZI shall not process Student Data for any commercial purposes, including, but not limited to, advertising purposes that benefit CZI.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.