top of page

Terms of Service & Privacy Center

Cardonex values the privacy and data of our clients and our partners. Here you will find a collection of privacy documentation. This may be updated at anytime in the future. Below you will also find the Terms of Service for accessing our products and services.

Last Updated: May 7, 2024


This Data Privacy Agreement (“DPA”) becomes effective as of the Effective Date of the Terms of Service (the “Agreement”) and is entered into by and between Cardonex and the Customer.


WHEREAS, Cardonex is providing educational or digital services to Customer;


WHEREAS, Cardonex and Customer recognize the need to protect personally identifiable student information and other regulated data exchanged between them as required by applicable laws and regulations, such as the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, as amended (“FERPA”), the Children's Online Privacy Protection Act, 15 U.S.C. § 6501-6506, as amended (“COPPA”), applicable state privacy laws and regulations;


WHEREAS, Cardonex and Customer desire to enter into this DPA for the purpose of establishing their respective obligations and duties in order to with applicable laws and regulation; and


WHEREAS, all capitalized term not otherwise defined in this DPA shall have the meaning given in the Agreement.
 

NOW THEREFORE, for good and valuable consideration, Customer and Cardonex agree as follows:

 

  1. Definitions.

    1. “Brand Features” means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each Party, respectively, as secured by such Party from time to time.

    2. “Customer Data” includes all Personally Identifiable Information and other information that is not intentionally made generally available by the Customer on public websites or publications, including but not limited to business, administrative and financial data, intellectual property, and student and personnel data and metadata, as well as any de-identified, aggregated, or otherwise anonymized data derived from such data.

    3. “User” means the individuals authorized by the Customer to access and use the Services provided by Cardonex under the Agreement.

    4. “Personally Identifiable Information” (or “PII”) includes but is not limited to: personal identifiers such as name, address, phone number, date of birth, Social Security number, and student or personnel identification number; personally identifiable information contained in student education records as that term is defined in the Family Educational Rights and Privacy Act, 20 USC 1232g, as amended (“FERPA”); “personal information” as that term is defined in the Children's Online Privacy Protection Act of 1998 (“COPPA”); “personal information” as that term is defined in the Protection of Pupil Rights Amendment (“PPRA”); “personally identifiable information” as that term is defined in the Individuals with Disabilities Education Act, as amended (“IDEA”); “protected health information” as that term is defined in the Health Insurance Portability and Accountability Act, 45 CFR Part 160.103 (“HIPAA”); nonpublic personal information as that term is defined in the Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 USC 6809 (“GLB”); credit and debit card numbers and/or access codes and other cardholder data and sensitive authentication data as those terms are defined in the Payment Card Industry Data Security Standards (“PCI-DSS”); other financial account numbers, access codes, driver's license numbers; and state- or federal-identification numbers such as passport, visa or state identity card numbers.

    5. Party or Parties means all parties to the Terms and Conditions of Service.

    6. “Securely Destroy” means taking actions that render data written on physical (e.g., hardcopy, microfiche, etc.) or electronic media unrecoverable by both ordinary and extraordinary means. These actions must meet or exceed those sections of the National Institute of Standards and Technology (NIST) SP 800-88r1 guidelines relevant to data categorized as high security.

    7. “Security Breach” means an event in which Customer Data is exposed to unauthorized disclosure, access, alteration, or use.

    8. “Mining Customer Data” means to search through, access, or extract Customer Data, metadata, or information which is not necessary to accomplish the purpose(s) of the Agreement.

  2. Rights and License in and to Customer Data. The Parties agree that as between them, all rights including all Intellectual Property Rights in and to Customer Data shall remain the sole and exclusive property of the Customer, and Cardonex has a limited, nonexclusive license as provided in the Agreement solely for the purpose of performing its obligations hereunder. The Agreement does not give Cardonex any rights, implied or otherwise, to Customer Data, content, or intellectual property, except as expressly stated in the Agreement.

  3. Intellectual Property Rights/Disclosure.

    1. Unless necessary to perform Cardonex's obligations under the Agreement or expressly agreed by the Customer in writing, all goods, products, materials, documents, reports, writings, video images, photographs or papers of any nature including software or computer images prepared by Cardonex (or its subcontractors) explicitly for the Customer will not be disclosed to any other person or entity.

    2. Notwithstanding the foregoing, for grant collaboration pursuant to subcontracts under sponsored grants, Intellectual Property Rights will be governed by the terms of the grant or contract to the Customer to the extent such grant or contract requires intellectual property terms to apply to subcontractors.

  4. Data Privacy.

    1. Cardonex will use Customer Data only for the purpose of fulfilling its duties under the Agreement and will not share Customer Data with or disclose it to any third Party without the prior written consent of the Customer, except as required by law.

    2. Customer Data will not be stored outside the United States without prior written consent from the Customer.

    3. Cardonex will provide access to Customer Data only to its employees and subcontractors who need to access the data to fulfill Cardonex's obligations under the Agreement. Cardonex will ensure that employees and subcontractors who perform work under the Agreement have read, understood, and received appropriate instruction as to how to comply with the data protection provisions of the Agreement. If Cardonex will have access to “education records” for the Customer's students as defined under FERPA, Cardonex acknowledges that for the purposes of the Agreement it will be designated as a “school official” with “legitimate educational interests” in the Customer Education records, as those terms have been defined under FERPA and its implementing regulations, and Cardonex agrees to abide by the FERPA limitations and requirements imposed on school officials. The Parties agree that: (1) the services/functions to be provided by Cardonex are services/functions for which the Customer would otherwise use its own employees; (2) Cardonex is under the Customer's direct control with respect to Cardonex's access to and use of the education records; and (3) Cardonex is subject to the requirements of 34 C.F.R. 99.33(a) with respect to Cardonex's access to and use of the education records. Cardonex will use the education records only for the purpose of fulfilling its duties under the Agreement for Customer's and its User's benefit, and will not share such data with or disclose it to any third Party except as provided for in the Agreement, required by law, or authorized in writing by the Customer.

    4. Cardonex will not use Customer Data (including metadata) for advertising or marketing purposes.

    5. Cardonex agrees to assist Customer in maintaining the privacy of Customer Data as may be required by State and Federal law, including but not limited to FERPA, PRRA, IDEA, and COPPA. Cardonex shall, upon reasonable request, provide the Customer with a written summary of the procedures Cardonex uses to maintain the privacy of Customer Data.

    6. Cardonex is prohibited from Mining Customer Data for any purposes other than those agreed to by the Parties.

    7. For Cardonex products provided to educational institutions, the collection, maintenance, and use of personal information from children under 13 is controlled by the educational institution that contracts with Cardonex for use of its products. If you are a parent and have questions regarding personally identifiable information collected from your child as part of their educational institution's use of Cardonex's products, including your rights to review, delete, and refuse further collection of such information from your child, please contact your child's educational institution. Cardonex cannot delete such information unless authorized by your child's educational institution.

  5. Data Security.

    1. Cardonex will store and process Customer Data in accordance with commercial best practices, including appropriate administrative, physical, and technical safeguards, to secure such data from unauthorized access, disclosure, alteration, and use. Such measures will be no less protective than those used to secure Cardonex's own data of a similar type, and in no event less than reasonable in view of the type and nature of the data involved. Without limiting the foregoing, Cardonex warrants that all electronic Customer Data will be encrypted in transmission using Transport Layer Security (TLS) or SFTP for all interfaces transmitting or receiving Customer data (including all back-end communications and all web interfaces) and stored at no less than 128-bit level encryption. Note: The minimum of TLS 1.1 is required (1.2 is preferred), SSL is no longer sufficient for adequate transmission security.

    2. Cardonex will use industry-standard and up-to-date security tools and technologies such as anti-virus protections and intrusion detection methods in providing Services under the Agreement.

  6. Employee and Subcontractor Qualifications

    1. Cardonex shall ensure that its employees and subcontractors who have potential access to Customer Data have undergone appropriate background screening, to the Customer's satisfaction, and possess all needed qualifications to comply with the terms of the Agreement including but not limited to all terms relating to data and intellectual property protection.

    2. If Cardonex must under the Agreement create, obtain, transmit, use, maintain, process, or dispose of the subset of Customer Data known as Personally Identifiable Information or financial or business data which has been identified to Cardonex as having the potential to affect the accuracy of the Customer's financial statements, Cardonex shall perform the following background checks on all employees who have potential to access such data in accordance with the Fair Credit Reporting Act: Social Security Number trace; seven (7) year felony and misdemeanor criminal records check of federal, state, or local records (as applicable) for job related crimes; Office of Foreign Assets Control List (OFAC) check; Bureau of Industry and Security List (BIS) check; and Office of Defense Trade Controls Debarred Persons List (DDTC).

  7. Data Authenticity and Integrity. Cardonex will take reasonable measures, including audit trails, to protect Customer Data against deterioration or degradation of data quality and authenticity.

  8. Security Breach.

    1. Response. Immediately upon becoming aware of a Security Breach, or of circumstances that could have resulted in unauthorized access to or disclosure or use of Customer Data, Cardonex will notify the Customer, fully investigate the incident, and cooperate fully with the Customer's investigation of and response to the incident. Except as otherwise required by law, Cardonex will not provide notice of the incident directly to individuals whose Personally Identifiable Information was involved, regulatory agencies, or other entities, without prior written permission from the Customer.

    2. Liability. In addition to any other remedies available to the Customer under law or equity, Cardonex will reimburse the Customer in full for all costs incurred by the Customer in investigation and remediation of any Security Breach proven to have been caused in whole or in part by Cardonex or subcontractors, including but not limited to providing notification to individuals whose Personally Identifiable Information was compromised and to regulatory agencies or other entities as required by law or contract; providing one year's credit monitoring to the affected individuals if the Personally Identifiable Information exposed during the breach could be used to commit financial identity theft; and the payment of legal fees, audit costs, fines, and other fees imposed against the Customer as a result of the Security Breach.

  9. Response to Legal Sales Orders, Demands or Requests for Data.

    1. Except as otherwise expressly prohibited by law, Cardonex will:

      1. immediately notify the Customer of any subpoenas, warrants, or other legal orders, demands or requests received by Cardonex seeking Customer Data;

      2. reasonably consult with the Customer regarding Cardonex's response;

      3. cooperate with the Customer's reasonable requests in connection with efforts by the Customer to intervene and quash or modify the legal order, demand or request; and

      4. upon the Customer's request, provide the Customer with a copy of its response.

    2. If the Customer receives a subpoena, warrant, or other legal order, demand (including a request for information pursuant to the Texas Public Information Act), or other request seeking Customer Data maintained by Cardonex, the Customer will promptly provide a copy of the request to Cardonex. Cardonex will promptly supply the Customer with copies of records or information required for the Customer to respond, and will cooperate with the Customer's reasonable requests in connection with the Customer's response.

  10. Data Transfer Upon Termination or Expiration.

    1. Upon termination or expiration of the Agreement, Cardonex will ensure that all Customer Data are securely returned or destroyed as directed by the Customer. Transfer to the Customer or a third Party designated by the Customer shall occur within a reasonable period of time, and without significant interruption in service. Cardonex shall ensure that such transfer/migration uses facilities and methods that are compatible with the relevant systems of the Customer or its transferee, and to the extent technologically feasible, that the Customer will have reasonable access to Customer Data during the transition. In the event that the Customer requests destruction of any Customer Data, Cardonex agrees to Securely Destroy all data in its possession and in the possession of any subcontractors or agents to which Cardonex might have transferred Customer Data. Cardonex agrees to provide documentation of data destruction to the Customer.

    2. Cardonex will promptly notify the Customer of impending cessation of its business and any contingency plans. This includes immediate transfer of any previously escrowed assets and data and providing the Customer access to Cardonex's facilities as necessary to remove and destroy Customer-owned assets and data. Cardonex shall implement its exit plan and take all necessary actions to ensure a smooth transition of service with minimal disruption to the Customer. Cardonex will also provide a full inventory and configuration of servers, routers, other hardware, and software involved in service delivery along with supporting documentation, indicating which if any of these are owned by or dedicated to the Customer. Cardonex will work closely with its successor to ensure a successful transition to the new equipment, with minimal downtime and effect on the Customer, all such work to be coordinated and performed in advance of the formal, final transition date.

  11. Audits.

    1. The Customer reserves the right in its sole discretion to perform one audit per calendar year of Cardonex at the Customer's expense to ensure compliance with the terms of the Agreement. Cardonex shall reasonably cooperate in the performance of such audits. This provision applies to all agreements under which Cardonex must create, obtain, transmit, use, maintain, process, or dispose of Customer Data.

    2. If Cardonex must under the Agreement create, obtain, transmit, use, maintain, process, or dispose of the subset of Customer Data known as Personally Identifiable Information or financial or business data which has been identified to Cardonex as having the potential to affect the accuracy of the Customer's financial statements, Cardonex will at its expense conduct or have conducted at least annually a/an:

      1. American Institute of CPAs Service Organization Controls (SOC) Type II audit, or other security audit with audit objectives deemed sufficient by the Customer, which attests Cardonex's security policies, procedures and controls;

      2. vulnerability scan of Cardonex's electronic systems and facilities that are used in any way to deliver electronic services under the Agreement; and

      3. formal penetration test, performed by a process and qualified personnel of Cardonex's electronic systems and facilities that are used in any way to deliver electronic services under the Agreement.

    3. Additionally, Cardonex will provide the Customer upon request the results of the above audits, scans and tests, and will promptly modify its security measures as needed based on those results in order to meet its obligations under the Agreement. The Customer may require, at Customer expense, Cardonex to perform additional audits and tests, the results of which will be provided promptly to the Customer.

  12. Institutional Branding. Each Party shall have the right to use the other Party's Brand Features only as permitted under the Agreement or as approved in writing by the other Party, in advance of such use. Any use of a Party's Brand Features will inure to the benefit of the Party holding Intellectual Property Rights in and to those features.

  13. Compliance.

    1. Cardonex will comply with all applicable laws and industry standards in performing services under the Agreement. Any Cardonex personnel visiting the Customer's facilities will comply with all applicable Customer policies regarding access to, use of, and conduct within such facilities. The Customer will provide copies of such policies to Cardonex upon request.

    2. Cardonex warrants that any subcontractors used by Cardonex to fulfill its obligations under the Agreement will be subject to and will comply with each and every term of this Data Protection Addendum in the same manner that Cardonex itself is subject to the terms of this Data Protection Addendum.

    3. Cardonex warrants that the service it will provide to the Customer is fully compliant with and will enable the Customer to be compliant with relevant requirements of all laws, regulation, and guidance applicable to the Customer and/or Cardonex, including but not limited to: COPPA, FERPA, PPRA, IDEA, HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH), GLB, PCI-DSS, Americans with Disabilities Act (ADA), as amended, and Federal Export Administration Regulations.

  14. No User Agreements. The Agreement is the entire agreement between the Customer (including Customer employees and other Users) and Cardonex regarding Cardonex's access to, use of, and disclosure of Customer Data. In the event that Cardonex enters into terms of use agreements or other agreements or understandings, whether electronic, click-through, verbal or in writing, with Customer employees or other Users, such agreements shall be null, void and without effect, and the terms of the Agreement shall apply.

  15. Term and Termination.

    1. Term. This DPA will become effective when the Agreement becomes effective. It will continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section. In addition, certain provisions and requirements of this DPA will survive the termination of the Agreement in accordance with Section 16 of this DPA.

    2. Termination by the Customer. The Customer may immediately terminate the Agreement if the Customer makes the determination that Cardonex has breached a material term of this Data Protection Addendum.

    3. Automatic Termination. This DAP will automatically terminate without any further action of the Parties upon the termination or expiration of the Agreement between the Parties.

  16. Survival. Cardonex's obligations under Section 10 of this DPA shall survive termination of the Agreement until all Customer Data has been returned or Securely Destroyed.

  17. Advertisement. Any and all forms of advertisement in connection with the Agreement, whether directed towards children, parents, guardians or Customer employees, shall be strictly prohibited.

  18. Injunctive Relief. The Parties agree that Cardonex's disclosure or use (or threat to disclose or use) any Customer Data in breach of the Agreement will cause immediate and irreparable harm to the Customer and the Customer shall be entitled to immediate injunctive relief against any actual or threatened violation, in addition to any of its other rights and remedies. In the event of any suit or action arising under this Section 18 of this DPA, Cardonex consents to mandatory and exclusive jurisdiction of the courts in whatever jurisdiction as appropriately set forth in Section 9.13 of the Agreement.

Last Updated: May 7, 2024


This Data Privacy Agreement (“DPA”) becomes effective as of the Effective Date of the Terms of Service (the “Agreement”) and is entered into by and between Cardonex and the Customer.


WHEREAS, Cardonex is providing educational or digital services to Customer;


WHEREAS, Cardonex and Customer recognize the need to protect personally identifiable student information and other regulated data exchanged between them as required by applicable laws and regulations, such as the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, as amended (“FERPA”), the Children's Online Privacy Protection Act, 15 U.S.C. § 6501-6506, as amended (“COPPA”), applicable state privacy laws and regulations;


WHEREAS, Cardonex and Customer desire to enter into this DPA for the purpose of establishing their respective obligations and duties in order to with applicable laws and regulation; and


WHEREAS, all capitalized term not otherwise defined in this DPA shall have the meaning given in the Agreement.
 

NOW THEREFORE, for good and valuable consideration, Customer and Cardonex agree as follows:

 

  1. Definitions.

    1. “Brand Features” means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each Party, respectively, as secured by such Party from time to time.

    2. “Customer Data” includes all Personally Identifiable Information and other information that is not intentionally made generally available by the Customer on public websites or publications, including but not limited to business, administrative and financial data, intellectual property, and student and personnel data and metadata, as well as any de-identified, aggregated, or otherwise anonymized data derived from such data.

    3. “User” means the individuals authorized by the Customer to access and use the Services provided by Cardonex under the Agreement.

    4. “Personally Identifiable Information” (or “PII”) includes but is not limited to: personal identifiers such as name, address, phone number, date of birth, Social Security number, and student or personnel identification number; personally identifiable information contained in student education records as that term is defined in the Family Educational Rights and Privacy Act, 20 USC 1232g, as amended (“FERPA”); “personal information” as that term is defined in the Children's Online Privacy Protection Act of 1998 (“COPPA”); “personal information” as that term is defined in the Protection of Pupil Rights Amendment (“PPRA”); “personally identifiable information” as that term is defined in the Individuals with Disabilities Education Act, as amended (“IDEA”); “protected health information” as that term is defined in the Health Insurance Portability and Accountability Act, 45 CFR Part 160.103 (“HIPAA”); nonpublic personal information as that term is defined in the Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 USC 6809 (“GLB”); credit and debit card numbers and/or access codes and other cardholder data and sensitive authentication data as those terms are defined in the Payment Card Industry Data Security Standards (“PCI-DSS”); other financial account numbers, access codes, driver's license numbers; and state- or federal-identification numbers such as passport, visa or state identity card numbers.

    5. Party or Parties means all parties to the Terms and Conditions of Service.

    6. “Securely Destroy” means taking actions that render data written on physical (e.g., hardcopy, microfiche, etc.) or electronic media unrecoverable by both ordinary and extraordinary means. These actions must meet or exceed those sections of the National Institute of Standards and Technology (NIST) SP 800-88r1 guidelines relevant to data categorized as high security.

    7. “Security Breach” means an event in which Customer Data is exposed to unauthorized disclosure, access, alteration, or use.

    8. “Mining Customer Data” means to search through, access, or extract Customer Data, metadata, or information which is not necessary to accomplish the purpose(s) of the Agreement.

  2. Rights and License in and to Customer Data. The Parties agree that as between them, all rights including all Intellectual Property Rights in and to Customer Data shall remain the sole and exclusive property of the Customer, and Cardonex has a limited, nonexclusive license as provided in the Agreement solely for the purpose of performing its obligations hereunder. The Agreement does not give Cardonex any rights, implied or otherwise, to Customer Data, content, or intellectual property, except as expressly stated in the Agreement.

  3. Intellectual Property Rights/Disclosure.

    1. Unless necessary to perform Cardonex's obligations under the Agreement or expressly agreed by the Customer in writing, all goods, products, materials, documents, reports, writings, video images, photographs or papers of any nature including software or computer images prepared by Cardonex (or its subcontractors) explicitly for the Customer will not be disclosed to any other person or entity.

    2. Notwithstanding the foregoing, for grant collaboration pursuant to subcontracts under sponsored grants, Intellectual Property Rights will be governed by the terms of the grant or contract to the Customer to the extent such grant or contract requires intellectual property terms to apply to subcontractors.

  4. Data Privacy.

    1. Cardonex will use Customer Data only for the purpose of fulfilling its duties under the Agreement and will not share Customer Data with or disclose it to any third Party without the prior written consent of the Customer, except as required by law.

    2. Customer Data will not be stored outside the United States without prior written consent from the Customer.

    3. Cardonex will provide access to Customer Data only to its employees and subcontractors who need to access the data to fulfill Cardonex's obligations under the Agreement. Cardonex will ensure that employees and subcontractors who perform work under the Agreement have read, understood, and received appropriate instruction as to how to comply with the data protection provisions of the Agreement. If Cardonex will have access to “education records” for the Customer's students as defined under FERPA, Cardonex acknowledges that for the purposes of the Agreement it will be designated as a “school official” with “legitimate educational interests” in the Customer Education records, as those terms have been defined under FERPA and its implementing regulations, and Cardonex agrees to abide by the FERPA limitations and requirements imposed on school officials. The Parties agree that: (1) the services/functions to be provided by Cardonex are services/functions for which the Customer would otherwise use its own employees; (2) Cardonex is under the Customer's direct control with respect to Cardonex's access to and use of the education records; and (3) Cardonex is subject to the requirements of 34 C.F.R. 99.33(a) with respect to Cardonex's access to and use of the education records. Cardonex will use the education records only for the purpose of fulfilling its duties under the Agreement for Customer's and its User's benefit, and will not share such data with or disclose it to any third Party except as provided for in the Agreement, required by law, or authorized in writing by the Customer.

    4. Cardonex will not use Customer Data (including metadata) for advertising or marketing purposes.

    5. Cardonex agrees to assist Customer in maintaining the privacy of Customer Data as may be required by State and Federal law, including but not limited to FERPA, PRRA, IDEA, and COPPA. Cardonex shall, upon reasonable request, provide the Customer with a written summary of the procedures Cardonex uses to maintain the privacy of Customer Data.

    6. Cardonex is prohibited from Mining Customer Data for any purposes other than those agreed to by the Parties.

    7. For Cardonex products provided to educational institutions, the collection, maintenance, and use of personal information from children under 13 is controlled by the educational institution that contracts with Cardonex for use of its products. If you are a parent and have questions regarding personally identifiable information collected from your child as part of their educational institution's use of Cardonex's products, including your rights to review, delete, and refuse further collection of such information from your child, please contact your child's educational institution. Cardonex cannot delete such information unless authorized by your child's educational institution.

  5. Data Security.

    1. Cardonex will store and process Customer Data in accordance with commercial best practices, including appropriate administrative, physical, and technical safeguards, to secure such data from unauthorized access, disclosure, alteration, and use. Such measures will be no less protective than those used to secure Cardonex's own data of a similar type, and in no event less than reasonable in view of the type and nature of the data involved. Without limiting the foregoing, Cardonex warrants that all electronic Customer Data will be encrypted in transmission using Transport Layer Security (TLS) or SFTP for all interfaces transmitting or receiving Customer data (including all back-end communications and all web interfaces) and stored at no less than 128-bit level encryption. Note: The minimum of TLS 1.1 is required (1.2 is preferred), SSL is no longer sufficient for adequate transmission security.

    2. Cardonex will use industry-standard and up-to-date security tools and technologies such as anti-virus protections and intrusion detection methods in providing Services under the Agreement.

  6. Employee and Subcontractor Qualifications

    1. Cardonex shall ensure that its employees and subcontractors who have potential access to Customer Data have undergone appropriate background screening, to the Customer's satisfaction, and possess all needed qualifications to comply with the terms of the Agreement including but not limited to all terms relating to data and intellectual property protection.

    2. If Cardonex must under the Agreement create, obtain, transmit, use, maintain, process, or dispose of the subset of Customer Data known as Personally Identifiable Information or financial or business data which has been identified to Cardonex as having the potential to affect the accuracy of the Customer's financial statements, Cardonex shall perform the following background checks on all employees who have potential to access such data in accordance with the Fair Credit Reporting Act: Social Security Number trace; seven (7) year felony and misdemeanor criminal records check of federal, state, or local records (as applicable) for job related crimes; Office of Foreign Assets Control List (OFAC) check; Bureau of Industry and Security List (BIS) check; and Office of Defense Trade Controls Debarred Persons List (DDTC).

  7. Data Authenticity and Integrity. Cardonex will take reasonable measures, including audit trails, to protect Customer Data against deterioration or degradation of data quality and authenticity.

  8. Security Breach.

    1. Response. Immediately upon becoming aware of a Security Breach, or of circumstances that could have resulted in unauthorized access to or disclosure or use of Customer Data, Cardonex will notify the Customer, fully investigate the incident, and cooperate fully with the Customer's investigation of and response to the incident. Except as otherwise required by law, Cardonex will not provide notice of the incident directly to individuals whose Personally Identifiable Information was involved, regulatory agencies, or other entities, without prior written permission from the Customer.

    2. Liability. In addition to any other remedies available to the Customer under law or equity, Cardonex will reimburse the Customer in full for all costs incurred by the Customer in investigation and remediation of any Security Breach proven to have been caused in whole or in part by Cardonex or subcontractors, including but not limited to providing notification to individuals whose Personally Identifiable Information was compromised and to regulatory agencies or other entities as required by law or contract; providing one year's credit monitoring to the affected individuals if the Personally Identifiable Information exposed during the breach could be used to commit financial identity theft; and the payment of legal fees, audit costs, fines, and other fees imposed against the Customer as a result of the Security Breach.

  9. Response to Legal Sales Orders, Demands or Requests for Data.

    1. Except as otherwise expressly prohibited by law, Cardonex will:

      1. immediately notify the Customer of any subpoenas, warrants, or other legal orders, demands or requests received by Cardonex seeking Customer Data;

      2. reasonably consult with the Customer regarding Cardonex's response;

      3. cooperate with the Customer's reasonable requests in connection with efforts by the Customer to intervene and quash or modify the legal order, demand or request; and

      4. upon the Customer's request, provide the Customer with a copy of its response.

    2. If the Customer receives a subpoena, warrant, or other legal order, demand (including a request for information pursuant to the Texas Public Information Act), or other request seeking Customer Data maintained by Cardonex, the Customer will promptly provide a copy of the request to Cardonex. Cardonex will promptly supply the Customer with copies of records or information required for the Customer to respond, and will cooperate with the Customer's reasonable requests in connection with the Customer's response.

  10. Data Transfer Upon Termination or Expiration.

    1. Upon termination or expiration of the Agreement, Cardonex will ensure that all Customer Data are securely returned or destroyed as directed by the Customer. Transfer to the Customer or a third Party designated by the Customer shall occur within a reasonable period of time, and without significant interruption in service. Cardonex shall ensure that such transfer/migration uses facilities and methods that are compatible with the relevant systems of the Customer or its transferee, and to the extent technologically feasible, that the Customer will have reasonable access to Customer Data during the transition. In the event that the Customer requests destruction of any Customer Data, Cardonex agrees to Securely Destroy all data in its possession and in the possession of any subcontractors or agents to which Cardonex might have transferred Customer Data. Cardonex agrees to provide documentation of data destruction to the Customer.

    2. Cardonex will promptly notify the Customer of impending cessation of its business and any contingency plans. This includes immediate transfer of any previously escrowed assets and data and providing the Customer access to Cardonex's facilities as necessary to remove and destroy Customer-owned assets and data. Cardonex shall implement its exit plan and take all necessary actions to ensure a smooth transition of service with minimal disruption to the Customer. Cardonex will also provide a full inventory and configuration of servers, routers, other hardware, and software involved in service delivery along with supporting documentation, indicating which if any of these are owned by or dedicated to the Customer. Cardonex will work closely with its successor to ensure a successful transition to the new equipment, with minimal downtime and effect on the Customer, all such work to be coordinated and performed in advance of the formal, final transition date.

  11. Audits.

    1. The Customer reserves the right in its sole discretion to perform one audit per calendar year of Cardonex at the Customer's expense to ensure compliance with the terms of the Agreement. Cardonex shall reasonably cooperate in the performance of such audits. This provision applies to all agreements under which Cardonex must create, obtain, transmit, use, maintain, process, or dispose of Customer Data.

    2. If Cardonex must under the Agreement create, obtain, transmit, use, maintain, process, or dispose of the subset of Customer Data known as Personally Identifiable Information or financial or business data which has been identified to Cardonex as having the potential to affect the accuracy of the Customer's financial statements, Cardonex will at its expense conduct or have conducted at least annually a/an:

      1. American Institute of CPAs Service Organization Controls (SOC) Type II audit, or other security audit with audit objectives deemed sufficient by the Customer, which attests Cardonex's security policies, procedures and controls;

      2. vulnerability scan of Cardonex's electronic systems and facilities that are used in any way to deliver electronic services under the Agreement; and

      3. formal penetration test, performed by a process and qualified personnel of Cardonex's electronic systems and facilities that are used in any way to deliver electronic services under the Agreement.

    3. Additionally, Cardonex will provide the Customer upon request the results of the above audits, scans and tests, and will promptly modify its security measures as needed based on those results in order to meet its obligations under the Agreement. The Customer may require, at Customer expense, Cardonex to perform additional audits and tests, the results of which will be provided promptly to the Customer.

  12. Institutional Branding. Each Party shall have the right to use the other Party's Brand Features only as permitted under the Agreement or as approved in writing by the other Party, in advance of such use. Any use of a Party's Brand Features will inure to the benefit of the Party holding Intellectual Property Rights in and to those features.

  13. Compliance.

    1. Cardonex will comply with all applicable laws and industry standards in performing services under the Agreement. Any Cardonex personnel visiting the Customer's facilities will comply with all applicable Customer policies regarding access to, use of, and conduct within such facilities. The Customer will provide copies of such policies to Cardonex upon request.

    2. Cardonex warrants that any subcontractors used by Cardonex to fulfill its obligations under the Agreement will be subject to and will comply with each and every term of this Data Protection Addendum in the same manner that Cardonex itself is subject to the terms of this Data Protection Addendum.

    3. Cardonex warrants that the service it will provide to the Customer is fully compliant with and will enable the Customer to be compliant with relevant requirements of all laws, regulation, and guidance applicable to the Customer and/or Cardonex, including but not limited to: COPPA, FERPA, PPRA, IDEA, HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH), GLB, PCI-DSS, Americans with Disabilities Act (ADA), as amended, and Federal Export Administration Regulations.

  14. No User Agreements. The Agreement is the entire agreement between the Customer (including Customer employees and other Users) and Cardonex regarding Cardonex's access to, use of, and disclosure of Customer Data. In the event that Cardonex enters into terms of use agreements or other agreements or understandings, whether electronic, click-through, verbal or in writing, with Customer employees or other Users, such agreements shall be null, void and without effect, and the terms of the Agreement shall apply.

  15. Term and Termination.

    1. Term. This DPA will become effective when the Agreement becomes effective. It will continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section. In addition, certain provisions and requirements of this DPA will survive the termination of the Agreement in accordance with Section 16 of this DPA.

    2. Termination by the Customer. The Customer may immediately terminate the Agreement if the Customer makes the determination that Cardonex has breached a material term of this Data Protection Addendum.

    3. Automatic Termination. This DAP will automatically terminate without any further action of the Parties upon the termination or expiration of the Agreement between the Parties.

  16. Survival. Cardonex's obligations under Section 10 of this DPA shall survive termination of the Agreement until all Customer Data has been returned or Securely Destroyed.

  17. Advertisement. Any and all forms of advertisement in connection with the Agreement, whether directed towards children, parents, guardians or Customer employees, shall be strictly prohibited.

  18. Injunctive Relief. The Parties agree that Cardonex's disclosure or use (or threat to disclose or use) any Customer Data in breach of the Agreement will cause immediate and irreparable harm to the Customer and the Customer shall be entitled to immediate injunctive relief against any actual or threatened violation, in addition to any of its other rights and remedies. In the event of any suit or action arising under this Section 18 of this DPA, Cardonex consents to mandatory and exclusive jurisdiction of the courts in whatever jurisdiction as appropriately set forth in Section 9.13 of the Agreement.

Atlassian

bottom of page