Laserfiche WebLink
disclosure, access and use. Contractor shall ensure that its employees and Subcontractors who have potential access to <br />District Data have undergone appropriate background screening, to the District's satisfaction, and possess all needed <br />qualifications to comply with the terms of this Addendum. Contractor shall also ensure that its Subcontractors comply <br />with the insurance requirements specified in Section I l of this Addendum. <br />3.5 Use of De -identified Data. Contractor may use De -identified Data for purposes of research, the <br />improvement of Contractor's products and services, and/or the development of new products and services. In no event <br />shall Contractor or Subcontractors re -identify or attempt to re -identify any De -identified Data or use De- identified Data <br />in combination with other data elements or De -identified Data in the possession of a third -party affiliate, thereby posing <br />risks of re -identification. <br />3.6 Privacy Policy Changes. Prior to making a material change to Contractor's privacy policies, <br />Contractor shall send District's Designated Representative written notice, which includes a clear explanation of the <br />proposed changes. <br />4. Data Security <br />4.1 Security Safeguards. Contractor shall stare and process District Data in accordance with <br />commercial best practices, including implementing appropriate administrative, physical, and technical safeguards to secure <br />such data from unauthorized access, disclosure, alteration, and use. Contractor shall ensure that all such safeguards, <br />including the manner in which District Data is collected, accessed, used, stored, processed, disposed of and disclosed, <br />comply with all applicable federal and state data protection and privacy laws, regulations and directives, as well as the <br />terns and conditions of this Addendum. Without limiting the foregoing, and unless expressly agreed to the contrary in <br />writing, Contractor warrants that all electronic District Data will be encrypted. <br />4.2 Risk Assessments. Contractor shall conduct periodic risk assessments and remediate any identified <br />security vulnerabilities in a timely manner. <br />4.3 Audit Trails. Contractor shall take reasonable measures, including audit trails, to protect District <br />Data against deterioration or degradation of data quality and authenticity. <br />4.4 Verification of Safeguards. Upon District's written request, Contractor shall provide or make <br />available to the District for review, the following, verifying Contractor's administrative, physical and technical <br />safeguards are in compliance with industry standards and best practices: (1) a third -party network security audit <br />report, or (2) certification from Contractor indicating that an independent vulnerability or risk assessment of the <br />Contractor's data security program has occurred. <br />5. Security Incident and Security Breach <br />5.1 Security Incident Evaluation. In the event of an incident, Contractor shall follow industry best <br />practices to filly investigate and resolve the Incident, and take steps to prevent developments that may result in the <br />Incident becoming a Security Breach at Contractor's expense in accordance with applicable privacy laws. <br />5.2 Response. Immediately upon becoming aware of a Security Breach, or a complaint of a Security <br />Breach, Contractor shall notify the District Designated Representative in writing as set forth herein, filly investigate <br />the Security Breach, cooperate billy with the District's investigation of and response to tine Security Breach, and use <br />4 <br />Colorado Council of School Board Attorneys, December 10, 2016 <br />