California AB-1584 Compliance Statement

This Statement describes the policies and procedures employed by Lightspeed Systems to
ensure compliance with the requirements set forth in Section 49073.1 of the California
Education Code (the “Code”). For the purposes of this Statement, “System” shall mean the
bundle of services provided by Lightspeed Systems via its websites and/or mobile
applications, and “Authorized User” shall mean any employee of a School District that is
authorized to access and utilize the System regarding such employment.

Ownership of Pupil Records

All Pupil Records provided to Lightspeed Systems, or to which Lightspeed Systems has been
granted access, are and shall remain the sole property of the School District or educational
agency (collectively, “School District”) that provided or granted access to such records.

Pupil-Generated Content

The Lightspeed Systems system does not collect or store any Pupil-Generated content. In
the event the System is updated to incorporate such a feature, Lightspeed Systems shall
amend this Statement to describe how pupils may retain possession and control of pupil-generated content.

Third Party Access and Use

Lightspeed Systems prohibits all third parties from accessing or utilizing any Pupil Record
for any purpose other than those required by or permitted by the contract for Lightspeed
Systems’ services.

Parent and Pupil Review Procedures

The System enables any Authorized User to permit parents, legal guardians, and eligible
pupils to review personally identifiable information contained in Pupil Records, and to
correct erroneous information, in accordance with procedures established by the School

Security and Confidentiality of Pupil Records

Lightspeed Systems is committed to maintaining the security and confidentiality of Pupil
Records. It has designated a Data Protection Officer (DPO), who is responsible for: (a) ensuring that Lightspeed Systems servers are protected against unauthorized access to the greatest degree possible; (b) limiting employee access to Pupil Records to whatever extent is required for them to perform their job functions; and (c) training employees in data security procedures to further ensure compliance with company data security policies.

Unauthroized Disclosure

In the event any Pupil Records are inadvertently disclosed via outside data breach or for
any other reason, the DPO shall notify the School District that owns such records
immediately upon the discovery of such inadvertent disclosure. The School District may in
turn utilize the System to notify affected parents, legal guardians, eligible pupils via posts
within the System, emails, or in such other manner as the School District deems

Post-Contract Data Deletion

Lightspeed Systems hereby certifies that, upon the termination of a service contract with a
School District, it shall isolate and permanently delete all Pupil Records belonging to such
School District that may remain on the System, unless the School District or applicable
regulations require the retention of such data, in which case the records shall be deleted
upon the expiration of the retention period. Prior to deleting any Data Records, Lightspeed
Systems shall first ensure that the School District has downloaded backups of the same.

FERPA Compliance

Lightspeed Systems offers School Districts utilizing the System the means to comply with their
obligations under the Federal Educational Rights and Privacy Act (20 USC §1232(g)), by
enabling Authorized Users to inspect and review Pupil Records and to correct any
inaccuracies therein as described in Section 4 of this Statement.

Prohibition Against Targeted Advertising

Lightspeed Systems strictly prohibits the use of any personally identifiable information
included in a Pupil Record to direct targeted advertising for any product or service. In
furtherance of this prohibition, Lightspeed Systems does not sell, trade, or rent any element
of personally identifiable information to any third party.

Additional privacy information is included in the Lightspeed Systems online Privacy Policy.