Addendum to the Microsoft Standard Contract Terms & Conditions Updated April 2024 This Addendum shall take precedence over any other terms agreed between the parties. 1. SERVICE LEVEL AGREEMENT 1.1 2. OTHER TERMS 2.1 Any reference to “Health Insurance Portability and Accountability Act (HIPAA);” and “Payment Card Industry Data Security Standards (PCI-DSS);” shall be struck as not applicable. As such “protected health information” and “credit card information” shall not be stored in the Service. 2.2 The Publisher shall be designated as a “School Official” as it is defined in the Family Educational Rights and Privacy Act (“FERPA”). 2.3 Any references to “applicable security patches” shall be defined as those rated Critical. 2.4 The limits of Liability for unauthorized access, use, or disclosure of Customer Data due to a breach of Publisher’s obligations shall be limited to $500,000 (five hundred thousand dollars). 2.5 Any requirements for Awareness and Training on customer specific requirements shall be limited to the Information Security Team. 2.6 Any requirements relating to Physical Security shall be requested by the Publisher to the cloud service provider. 2.7 The Shared Responsibility Model is incorporated into this agreement. 2.8 Any reference to Data Transmission requirements relating to VPN technology shall not apply as the service is provided over TLS/SSL. 2.9 Any assignment of the Agreement will require prior consent from the other party, whose consent shall not be unreasonably withheld or delayed. The parties note that there may be operational changes required to be made by the Publisher that may result in a Fee adjustment. 2.10 Any refund rights under the Agreement are limited to a pro rata refund of fees paid in advance of the Termination date where the Publisher is in breach that is not rectified within 30 days. 2.11 Any Client requirements for an Audit shall be limited to an annual entitlement, be subject to at least 30 days prior notice and be subject to a fee of $3,000 per day where such requests cumulatively exceed one working day. An audit is defined any formal or informal examination or verification of Client specific records, accounts, finances, processes, policies or security incident information. This includes any attestation of compliance or other requirements to submit to the Client’s third-party risk management processes. 2.12 The Client shall defend, indemnify, and hold harmless the Publisher, its officers, directors, employees, agents, licensors and suppliers from and against all actions, proceedings, losses, damages, expenses, and costs (including without limitation court costs and reasonable legal fees) against the Publisher, arising out of any third-Party claim that the Client Data infringes a third-parties Intellectual Property Rights or contains Prohibited Content.