🤝 Vendor Data Privacy and Security Policy
Better Choices Education LLC
www.BetterChoicesEducation.com
1. Purpose
This policy defines the requirements and responsibilities for all vendors, subcontractors, and third-party service providers (“Vendors”) who may process or access data on behalf of Better Choices Education LLC (“Company”). It ensures compliance with Connecticut General Statutes §§ 10-234aa to 10-234dd, FERPA, and applicable federal privacy standards.
2. Scope
This policy applies to all third-party entities engaged by the Company for:
- Hosting, cloud storage, or backup services
- Learning management, analytics, or technical integrations
- Support, development, or administrative services involving access to student or administrative data
3. Vendor Requirements
All Vendors must:
- Sign a written agreement affirming compliance with this policy
- Use data only for purposes explicitly outlined in the service contract
- Refrain from using data for marketing, profiling, resale, or unrelated business purposes
- Maintain confidentiality and implement equivalent or stronger data protection safeguards
4. Data Security Obligations
Vendors must demonstrate the following security controls:
- Encryption of data in transit and at rest (e.g., TLS 1.2+, AES-256)
- Role-based access control with audit logging
- Timely patching and vulnerability management
- Secure authentication processes (e.g., MFA, strong passwords)
5. Subprocessors
Vendors must:
- Obtain written authorization from the Company before engaging any subprocessors
- Ensure subprocessors meet the same privacy and security obligations
- Maintain an updated list of subprocessors and notify the Company of any changes
6. Data Breach Notification
Vendors must immediately notify the Company of any suspected or confirmed security incident involving Company-managed data. The Vendor shall cooperate fully with the Company’s incident response and reporting process.
7. Right to Audit
The Company reserves the right to:
- Review Vendor security policies and certifications
- Request documentation of safeguards and incident history
- Terminate contracts with Vendors found to be non-compliant
8. Contract Termination and Data Disposition
Upon termination of the contract or project:
- Vendors must return or securely delete all Company-managed data
- Written confirmation of data destruction must be provided
9. Policy Review
This policy will be reviewed annually or upon changes in legal or contractual requirements. Vendors will be notified of material updates.
10. Contact
For questions regarding vendor data privacy obligations, contact:
Better Choices Education LLC – Vendor Compliance Team
📧 Email: legal@betterchoiceseducation.com
🌐 Website: www.BetterChoicesEducation.com