Citation Support:
1-877-504-7080
Program Inquiries:
1-888-507-6219
Press & Media Inquiries
press@buspatrol.com
Hours of Operation:

Monday - Friday

9:00 AM - 6:30 PM EST

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is supplementary to, and forms part of, the underlying Master Services Agreement or other agreement for services (the “Agreement”) between BusPatrol America, LLC (“BusPatrol or Contractor”) and the entity identified as Customer in the relevant Agreement (“Customer”), collectively, (the “Parties”).

I. DEFINITIONS

Capitalized terms used but not defined herein shall have the meanings given to them under the Agreement. As defined and used in this DPA, the following terms shall mean:

  1. Beyond Enforcement Data. The data generated from cameras and other related equipment, including audio recording equipment, installed by BusPatrol on Customer’s fleet of school buses to allow for authorized personnel of Customer to monitor student safety.
  2. Beyond Enforcement Equipment. The cameras and other related equipment, including audio recording equipment, installed by BusPatrol on Customer’s fleet of school buses that are currently used by Customer to allow for authorized personnel of Customer to monitor student safety.
  3. Breach. A breach in Contractor’s security controls which leads to the unauthorized access, use, or transfer of Personal Data in Contractor’s possession, custody, or control.
  4. Business Purposes. Contractor’s routine, operational uses which are incidental to the provision of Services including fraud prevention, information security, quality assurance, internal product improvement, education and training, defense against legal claims, or other uses pursuant to a court order, provided that any such uses are consistent with applicable law.
  5. De-identified Data. Personal Data that have been transformed via the removal or pseudonymization of direct and indirect identifiers in a manner that prevents the reasonable likelihood of re-identification, taking account of the availability of other information that could be used, in combination with the transformed data, to re-identify the individuals to whom the transformed data relate.
  6. Personal Data. Data relating to an identified or reasonably identifiable (via combination with other data) person processed by Contractor in the provision of Services.
  7. Processor or Service Provider. The entity acting on behalf of and under the authority of Customer in processing Personal Data received from or acquired on behalf of Customer pursuant to the provision of Services under the Agreement.
  8. Process(ing). Any operation, whether manual or automated, that is performed on the Personal Data by or on behalf of Contractor in the provision of Services hereunder.
  9. Required Disclosure. A disclosure of Personal Data by Contractor to a third party which is required by statute, court order, legally-issued subpoena, or other legally compelled disclosure to which Contractor is subject.
  10. Services. The installation, operation, support, and maintenance by BusPatrol of one or both of the following on Customer’s fleet of school buses: 1) ‘Beyond Enforcement’ internal safety equipment; and 2) ‘Stop Arm Violation’ external safety and enforcement equipment which includes back-office services to ministerially support Customer’s school bus stop arm violation program in accordance with state and/or local stop arm law pursuant to the Agreement.
  11. Stop Arm Violation Data. The Data generated by and/or relating to cameras and other related equipment installed by BusPatrol on Customer’s fleet of school buses to identify motor vehicles operating in violation of state and/or local stop arm law.
  12. Stop Arm Violation Equipment. The cameras and other related equipment installed by BusPatrol on Customer’s fleet of school buses and used to identify motor vehicles operating in violation of state and/or local stop arm law. For clarity, this defined term shall include other cognate terms as may be used in the underlying Agreement, such as “enforcement cameras.” Subcontractor. A third party engaged by Contractor to perform all or portions of the Services and that which is contractually bound by a written agreement that includes privacy and data security obligations materially similar to those found herein

II. RELATIONSHIP OF THE PARTIES

  1. This DPA applies where and to the extent that BusPatrol is acting as a Processor or Service Provider of Personal Data received from or acquired on behalf of Customer pursuant to the provision of Services under the Agreement.

III. COMPLIANCE WITH APPLICABLE LAW

  1. BusPatrol agrees to comply with all applicable local, state, and federal laws in the provision of Services to Customer. Such applicable law may include but is not limited to: the Family Educational Rights and Privacy Act (“FERPA”); the Driver’s Privacy Protection Act (“DPPA”); New York State Education Law §2-d; and others. The Parties enter into this DPA to address the requirements of such applicable law.
  2. To the extent Contractor processes Personal Data that is subject to the Family Educational Rights and Privacy Act (“FERPA”), the Contractor acknowledges Customer’s determination that for purposes of this DPA, Contractor shall be designated as a “school official” with a “legitimate educational interest” pursuant to FERPA and its implementing regulations, and the Contractor agrees to abide by the limitations and requirements with respect to Personal Data under such exception. Where applicable, Customer further represents that Contractor meets the criteria for a school official as set forth in its annual notification.

IV. OWNERSHIP AND PERMITTED USE

  1. Contractor receives no right, title, or interest in any Personal Data processed for Customer hereunder other than a limited, non-exclusive, sublicensable and revocable license (upon termination or expiration of the Agreement) to process the Personal Data in its performance of the Services and for limited, routine Business Purposes (the “Permitted Use”).
  2. Contractor is expressly prohibited from using Personal Data for any other purpose outside of the Permitted Use. For the avoidance of doubt, Contractor is prohibited from using, disclosing, sublicensing or selling Personal Data for marketing purposes or any other commercial purposes.
  3. Contractor agrees that it shall only collect the minimum necessary amount of Personal Data from or on behalf of Customer that is required to fulfill Contractor’s duties in the performance of the Services pursuant to the Agreement.
  4. For clarity, this Clause IV shall not apply to any De-identified Data derived from Personal Data. Contractor shall own all right, title, and interest in De-identified Data and further agrees to not re-identify or attempt to re-identify De-identified Data by itself or via a third party

V. ACCESS AND DISCLOSURE

  1. Contractor agrees that it shall limit access to and only disclose Personal Data to the Contractor’s officers, employees and Subcontractor(s) who require access in order to provide the Services and that the disclosure will be limited to the extent necessary to provide the Services. Contractor shall take commercially reasonable steps to ensure that its officers, employees and Subcontractor(s) comply with the terms of this DPA.
  2. Contractor shall take commercially reasonable steps to review the data security and privacy measures of its Subcontractors prior to utilizing the Subcontractor to ensure material compliance with this DPA. Should Contractor become aware during the provision of Services that a Subcontractor has failed to materially comply with the requirements of this DPA, the Contractor shall: 1) prevent the Subcontractor’s continued access to Personal Data; and 2) where applicable, retrieve all Personal Data stored by Subcontractor and ensure that Personal Data has been permanently deleted and destroyed in accordance with this DPA. In the event there is a Security Incident involving the Subcontractor, the Contractor must follow the Security Incident reporting requirements set forth herein.
  3. Contractor shall be responsible for the acts and omissions of its officers, employees and Subcontractors undertaken within the scope of their employment or authorization, as applicable
  4. Upon Customer’s written and verified request, Contractor agrees to make any Personal Data retained by the Contractor relating to Beyond Enforcement Equipment available to Customer without undue delay and in a reasonable form and manner. Customer agrees and understands that Personal Data from Beyond Enforcement Equipment (including but not limited to interior bus footage) is permanently deleted on a regular cadence and may not be available unless queried within the applicable Storage Period.
  5. Contractor shall not knowingly disclose to Customer, nor shall Customer request or otherwise access Personal Data relating to Stop Arm Violation Equipment. Customer represents and warrants that it shall not request Personal Data from Contractor in a manner or for purposes that could cause Contractor to violate applicable law. Customer understands and agrees that onward disclosures of Personal Data by Customer relating to Beyond Enforcement Equipment are at the sole discretion and risk of Customer.
  6. Contractor agrees and understands that applicable law may provide parents and students the right to access, review, correct or delete their child’s (or the student’s) Personal Data stored or maintained by Contractor for Customer. To the extent Personal Data is held by the Contractor pursuant to the Agreement, the Contractor shall respond within thirty (30) calendar days to Customer’s request(s) for access to such Personal Data so that Customer may facilitate such access, review, correction or deletion, as applicable. If a parent or student directly contacts Contractor to review any Personal Data held by the Contractor, the Contractor shall promptly inform Customer and refer the parent or student to the Customer.
  7. Contractor shall not disclose Personal Data to any other party (a party other than the Contractor’s officers or employees or Subcontractors) without the prior written consent of Customer, unless such disclosure constitutes a Required Disclosure.
  8. Except as prohibited by applicable law, Contractor shall: 1) notify Customer of the receipt of any requests for Required Disclosures; 2) consult with Customer regarding the Contractor’s response; 3) provide reasonable cooperation to Customer in response to Customer’s reasonable requests to intervene and quash or modify the Required Disclosure; and (4) without delay after Customer’s written request, provide Customer with a copy of Contractor’s response to any Required Disclosure.

VI. INFORMATION SECURITY

  1. Contractor has adopted and will maintain for the duration of the Services appropriate administrative, technical and physical measures to protect Personal Data in a manner that complies with applicable law, protects the integrity, availability and confidentiality of Personal Data, and protects the Personal Data from a Breach. Such measures include industry standard encryption protocols to protect Personal Data at rest and in transit.

VII. AUDIT

  1. Upon advance written request not more than once per calendar year, and subject to the confidentiality provisions of the Agreement, Contractor shall supply a summary copy of any existing information security audit report(s) to Customer to evidence compliance with applicable law and this DPA.
  2. Contractor shall also respond to any written questions submitted to it by Customer, and Customer shall further have the right to review all relevant policies and procedures relating to Contractor’s compliance with this DPA provided that Customer shall not exercise this right more than once per calendar year and such responses, policies, and procedures shall be subject to the confidentiality provisions of the Agreement.

VIII. TRAINING

  1. Contactor shall require that its relevant officers, employees and Subcontractors who have access to Personal Data participate in training on applicable information security and privacy obligations with respect to Personal Data.

IX. DESTRUCTION OF PERSONAL DATA

  1. Upon termination or expiration of the Agreement, Contractor shall permanently destroy all Personal Data in its possession or control that has not already been deleted as part of Contractor’s standard Data Retention Period (as defined in the Agreement) or other internal data deletion processes required by applicable law. Such Personal Data will be deleted in a manner such that it is non-recoverable. This requirement shall not apply to the extent that Contractor is required by applicable law to retain some or all Personal Data, in which event Contractor shall take commercially reasonable measures to isolate and protect the retained Personal Data from any further processing except to the extent required by such applicable law. Such retained Personal Data shall continue to be protected in accordance with this DPA until permanently destroyed by Contractor.
  2. To the extent that Contractor continues to be in possession of any De-identified Data, Contractor agrees not to re-identify or attempt to re-identify such data.

X. PERSONAL DATA BREACH

  1. Contractor shall promptly notify Customer of any Breach without unreasonable delay after discovery. Notifications required pursuant to this clause must be in writing and to the extent available, include: 1) a description of the Breach which includes the date of the incident that caused the Breach and the date of discovery; 2) the types of Personal Data affected including the number of individuals; and 3) contact information for representatives who can assist Customer in responding to the Breach. Contractor shall have a continuing obligation to supplement and/or update any initial notification made to Customer without delay as additional information becomes available.
  2. Notifications required pursuant to this clause shall be sent to the Customer’s point of contact specified in the underlying Agreement.
  3. Contractor agrees to cooperate with Customer, and where applicable, law enforcement, into any investigation, response, and/or remediation of a Breach for Customer to fulfil its reporting obligations in accordance with applicable law. Any costs incidental to the cooperation of Contractor, as related to such investigation, response, or remediation, will be the responsibility of the Contractor if the Breach is attributable to Contractor or its Subcontractor(s).
  1. Customer will not communicate or publish any notice, report, admission of liability, or other disclosure concerning any Breach which directly or indirectly identifies Contractor without Contractor’s prior approval, unless Customer is compelled to do so under applicable law. In any event, Customer shall provide Contractor with prior written notice of any such communication or publication.

XI. MISCELLANEOUS

  1. In the event of a conflict between this DPA (including all Exhibits attached hereto) and the Agreement, the terms and conditions of this DPA shall govern and prevail, as well as supersede all prior communications, representations, or agreements, whether oral or written, by the Parties relating thereto.
  2. Any provision of this DPA that is deemed prohibited or unenforceable in any jurisdiction shall, as to that jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA.
  3. Either Party’s liability arising out of or relating to this DPA shall be limited and/or subject to any limitations on liability and/or exclusions as set forth in the underlying Agreement. No provision of this DPA shall be deemed to waive or otherwise limit the rights of an individual to whom the Personal Data relate under applicable law.
  4. Contractor may modify this DPA at any time. Contractor shall provide Customer with reasonable advance notice in advance of any change to this DPA that, in Contractor’s sole determination, materially and adversely affect Customer’s rights hereunder. Contractor may provide this notice via email to the email address associated with Customer’s account. By continuing to use the Services after any revised terms in the DPA become effective, Customer agrees to be bound by the updated DPA.
  5. This DPA shall be effective as of the date of execution of the Agreement and shall similarly terminate upon the expiration or termination of the Agreement. However, the applicable obligations of the Parties pursuant to this DPA shall survive the expiration or termination of the Agreement as set forth in section “IX. Destruction of Personal Data.”

EXHIBIT A

PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY

EXHIBIT B

SUPPLEMENTAL INFORMATION & SCHEDULE OF PROCESSING

Term of DPA

Start Date: See Agreement Start Date.

End Date: DPA will remain in full force and effect until expiration or termination of the Agreement, subject to clause XI (iv) (survival).

Description of Processing

Contractor’s use of Personal Data shall be strictly limited to that Processing which is necessary for the Permitted Use.

The Services provided hereunder consist of the installation, operation, support, and maintenance by Contractor of one or both of the following on Customer’s fleet of school buses:

1) ‘Beyond Enforcement’ internal safety equipment; and

2) ‘Stop Arm Violation’ external safety and enforcement equipment which includes back-office services to ministerially support Customer’s school bus stop arm violation program in accordance with state and/or local stop arm law.

 

Categories of Individuals and Types of Personal Data Processed

  1. 1) Student Passengers and Drivers of Customer’s school bus fleet.

    – Audio/video data from Beyond Enforcement equipment (including chronological & location-based metadata from recordings).

    2) Potential and actual violators of applicable school bus stop arm laws.

    – Video data from Stop Arm Violation equipment (including chronological & location-based metadata from recordings);

    – Vehicle & driver identification and contact data;

    – Payment data (such as credit/debit card number, security code, billing address, card expiration date).

 

Subcontractor Requirement

The Contractor will not utilize Subcontractors without written agreements that require the Subcontractors to adhere to, at a minimum, materially similar data protection obligations imposed on the Subcontractor as those found herein.

Personal Data DestructionUpon termination or expiration of the Agreement, Contractor shall permanently and securely destroy all Personal Data still in its possession or control that has not already been deleted as part of internal data deletion processes. Such Personal Data will be deleted in a manner such that it is non-recoverable.
Requests to access, review, correct or delete (student) Personal DataTo the extent Personal Data is held by the Contractor pursuant to the Agreement, the Contractor shall respond within thirty (30) calendar days to Customer’s request(s) for access to such Personal Data so that Customer may facilitate such access, review, correction or deletion, as applicable. If a parent or student directly contacts Contractor to review any Personal Data held by the Contractor, the Contractor shall promptly inform Customer and refer the parent or student to the Customer.

Personal Data Storage and Security

Contractor has adopted and will maintain for the duration of the Services appropriate administrative, technical and physical measures to protect Personal Data in a manner that complies with applicable law, protects the integrity, availability and confidentiality of Personal Data, and protects the Personal Data from a Breach.

Personal Data will be encrypted using industry standard protocols while in transit and at rest and securely stored using a cloud or infrastructure owned and hosted by a Subcontractor.

EXHIBIT C

DATA PRIVACY AND SECURITY PLAN

Outline how you will implement applicable data security and privacy requirements over the life of the Agreement.

Contractor maintains a comprehensive data security and privacy program, with applicable policies and procedures in place to protect the confidentiality, integrity, and availability of Personal Data. Contractor’s program is validated through an independent, third-party SOC 2 Type 2 Audit.
Specify the administrative, operational and technical safeguards and practices that you have in place to protect Personal Data.
  • – Role based access provisioned using 2FA
  • – 24/7 third party SOC (security operations center) monitoring all logs and events in Contractor’s hosted ecosystem
  • – 24/7 data loss prevention monitoring logs are fed to a third-party SOC tool
  • – Industry standard encryption protocols used to protect data in transit and rest
  • – Logical separation of production, development, and test environments
  • – Watermarking technology used for VM sessions and asset geo-blocking as appropriate
  • – Vulnerability management program in place including use of anti-malware tool to scan for and actively prevent threat actors
Specify how your officers, employees and Subcontractors who have access to Personal Data pursuant to the Agreement will receive training on applicable laws that govern the confidentiality of Personal Data.

Contractor’s officers, employees and Subcontractors receive annual cyber security and data privacy trainings. Upon onboarding, these individuals are also required to read and agree to the following internal policies: Security Policy, Privacy Policy, Acceptable Use Policy for IT Resources.

4. Outline the process(es) that ensure(s) that your officers, employees and Subcontractors are bound by written confidentiality obligations.

Contractor requires its officers, employees and Subcontractors to agree to robust non-disclosure agreements before commencing work.
Specify how you will manage and identify Breaches and meet your obligations to report such incidents to the Customer.

Contractor has a Security Incident Response Plan in place which is validated through an independent, third-party SOC 2 Type 2 Audit. This Plan is tested throughout the year.
Describe how Personal Data will be transitioned to the Customer when no longer needed by you to meet your contractual obligations, if applicable.

N/A
Describe your secure, Personal Data destruction practices.

Upon termination or expiration of the Agreement, Contractor shall permanently destroy all Personal Data in its possession or control that has not already been deleted as part of Contractor’s standard Data Retention Period (as defined in the Agreement, pursuant to which Beyond Enforcement Data is overwritten on DVR hardware found on buses) or other internal data deletion processes required by applicable law. Such Personal Data will be deleted in a manner such that it is non-recoverable.
Outline how your data security and privacy program aligns with the Customer’s applicable policies.

Contractor’s data privacy and security program, including all applicable policies and procedures
Outline how your data security and privacy program/practices materially align with the NIST CSF v1.1.

Contractor’s data privacy and security plan maps to NIST CSF v1.1.