Created
June 23, 2025 13:03
-
-
Save jonbrouse/7a869a03f762dc7d899d5fae8274d1c9 to your computer and use it in GitHub Desktop.
AWS-MOU.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # MEMORANDUM OF UNDERSTANDING | |
| ## AWS Cloud Platform Services for Educational Institution | |
| **Between:** [School District Name] (“School” or “Educational Institution”) | |
| **And:** Amazon Web Services, Inc. (“AWS” or “Service Provider”) | |
| **Effective Date:** [Date] | |
| **Review Date:** [Annual Review Date] | |
| ----- | |
| ## 1. PURPOSE AND SCOPE | |
| This Memorandum of Understanding establishes the terms and conditions for the School’s use of Amazon Web Services cloud platform for educational purposes, including but not limited to student information systems, learning management platforms, data storage, and administrative applications. | |
| ## 2. DATA CLASSIFICATION AND HANDLING | |
| ### 2.1 Student Educational Records | |
| - **Protected Data:** All student educational records as defined by the Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g | |
| - **Personally Identifiable Information (PII):** Student names, addresses, social security numbers, student ID numbers, grades, disciplinary records, and other directly identifiable information | |
| - **Directory Information:** Information that may be disclosed without consent as defined in the School’s annual FERPA notice | |
| ### 2.2 Data Categories | |
| - **Highly Sensitive:** Student academic records, disciplinary records, special education records, health information | |
| - **Moderately Sensitive:** Directory information, aggregated academic data, non-identifying educational content | |
| - **Public:** General school information, published educational materials, public announcements | |
| ## 3. COMPLIANCE AND REGULATORY REQUIREMENTS | |
| ### 3.1 Federal Compliance | |
| - **FERPA Compliance:** AWS will act as a school official with legitimate educational interest as defined under 20 U.S.C. § 1232g(b)(1)(A) | |
| - **COPPA Compliance:** Children’s Online Privacy Protection Act compliance for students under 13 years of age | |
| - **Section 504/ADA:** Accessibility requirements for students with disabilities | |
| ### 3.2 State and Local Requirements | |
| - Compliance with applicable state student privacy laws | |
| - Adherence to local school board policies regarding data management | |
| - Compliance with state data breach notification requirements | |
| ## 4. DATA SECURITY AND PROTECTION | |
| ### 4.1 Technical Safeguards | |
| - **Encryption:** All data must be encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption | |
| - **Access Controls:** Multi-factor authentication required for all administrative access | |
| - **Network Security:** Virtual Private Cloud (VPC) configuration with appropriate security groups and network ACLs | |
| - **Monitoring:** AWS CloudTrail logging enabled for all API calls and administrative actions | |
| ### 4.2 Administrative Safeguards | |
| - **User Access Management:** Role-based access control with principle of least privilege | |
| - **Regular Security Assessments:** Annual security reviews and vulnerability assessments | |
| - **Incident Response:** 24-hour notification requirement for any suspected security incidents | |
| - **Staff Training:** Annual security awareness training for all personnel with data access | |
| ### 4.3 Physical Safeguards | |
| - AWS data centers must maintain SOC 2 Type II certification | |
| - Physical access controls and environmental protections as per AWS standard practices | |
| - Geographic data residency requirements (US-based data centers only) | |
| ## 5. DATA RETENTION AND DISPOSAL | |
| ### 5.1 Retention Periods | |
| - **Student Academic Records:** Retain for minimum state-required period (typically 5-7 years post-graduation) | |
| - **Disciplinary Records:** Retain per local policy (typically 3-5 years) | |
| - **System Logs:** Retain for minimum 12 months for security monitoring | |
| - **Backup Data:** Automated deletion after retention period expires | |
| ### 5.2 Data Disposal | |
| - **Secure Deletion:** NIST 800-88 compliant data sanitization methods | |
| - **Certificate of Destruction:** Written confirmation of data destruction upon contract termination | |
| - **Timeline:** Data destruction within 30 days of retention period expiration or contract termination | |
| ## 6. ACCESS AND DISCLOSURE | |
| ### 6.1 Authorized Users | |
| - School-designated administrators and IT personnel | |
| - Teachers and staff with legitimate educational interest | |
| - Students accessing their own educational records (age-appropriate) | |
| ### 6.2 Prohibited Disclosures | |
| - No disclosure of student data for commercial purposes | |
| - No data mining for non-educational purposes | |
| - No third-party access without explicit school authorization and proper legal basis | |
| ### 6.3 Legal Disclosures | |
| - Compliance with valid subpoenas, court orders, and lawfully issued administrative requests | |
| - 48-hour advance notice to school when legally permissible | |
| ## 7. SERVICE LEVEL AGREEMENTS | |
| ### 7.1 Availability | |
| - **Uptime Guarantee:** 99.9% monthly uptime for critical educational services | |
| - **Planned Maintenance:** Minimum 72-hour advance notice for scheduled maintenance | |
| - **Emergency Maintenance:** Immediate notification with regular status updates | |
| ### 7.2 Performance Standards | |
| - **Response Time:** Maximum 2-second response time for standard user interactions | |
| - **Data Backup:** Daily automated backups with 99.9% backup success rate | |
| - **Recovery Time:** Maximum 4-hour recovery time objective for critical systems | |
| ## 8. FINANCIAL TERMS | |
| ### 8.1 Cost Structure | |
| - Educational pricing tiers as applicable | |
| - No charges for data egress related to compliance requirements | |
| - Transparent billing with detailed usage reports | |
| ### 8.2 Budget Controls | |
| - Spending alerts and automatic scaling limits | |
| - Monthly cost reporting and budget reconciliation | |
| - Annual cost review and optimization consultation | |
| ## 9. AUDIT AND MONITORING | |
| ### 9.1 School Rights | |
| - Annual right to audit AWS security and privacy practices | |
| - Access to relevant compliance certifications and audit reports | |
| - Regular security posture assessments | |
| ### 9.2 Reporting Requirements | |
| - Monthly security incident reports | |
| - Quarterly access logs and user activity reports | |
| - Annual compliance certification | |
| ## 10. INCIDENT RESPONSE AND BREACH NOTIFICATION | |
| ### 10.1 Incident Classification | |
| - **Low:** Minor service disruptions, non-sensitive data access | |
| - **Medium:** Moderate service impact, potential data exposure | |
| - **High:** Major service outage, confirmed data breach | |
| ### 10.2 Notification Timeline | |
| - **Immediate:** Phone notification within 2 hours for high-severity incidents | |
| - **24 Hours:** Written incident report for medium and high-severity incidents | |
| - **72 Hours:** Detailed forensic analysis and remediation plan | |
| ## 11. CONTRACT TERMINATION AND DATA PORTABILITY | |
| ### 11.1 Termination Rights | |
| - 30-day written notice for convenience termination | |
| - Immediate termination for material breach after 10-day cure period | |
| - Survival of data protection obligations post-termination | |
| ### 11.2 Data Return | |
| - Standard format data export within 15 days of termination notice | |
| - Secure data destruction certification within 30 days | |
| - No additional charges for data return or destruction | |
| ## 12. LIABILITY AND INDEMNIFICATION | |
| ### 12.1 AWS Responsibilities | |
| - Indemnification for security breaches caused by AWS negligence | |
| - Liability for direct damages up to annual contract value | |
| - Cyber liability insurance coverage minimum $10 million | |
| ### 12.2 School Responsibilities | |
| - Proper user training and access management | |
| - Timely reporting of suspected security incidents | |
| - Compliance with acceptable use policies | |
| ## 13. DISPUTE RESOLUTION | |
| ### 13.1 Escalation Process | |
| - Technical issues: AWS Education Support → Account Manager → Technical Account Manager | |
| - Contractual disputes: Legal counsel involvement → Mediation → Binding arbitration | |
| ### 13.2 Governing Law | |
| - Agreement governed by laws of [State] | |
| - Federal court jurisdiction for FERPA-related disputes | |
| ## 14. MISCELLANEOUS PROVISIONS | |
| ### 14.1 Amendment Process | |
| - Written amendments only, signed by authorized representatives | |
| - Annual review and update cycle | |
| - 30-day notice for material changes to terms | |
| ### 14.2 Severability | |
| - Invalid provisions do not affect remainder of agreement | |
| - Replacement of invalid provisions with enforceable equivalent | |
| ----- | |
| ## SIGNATURES | |
| **[School District Name]** | |
| Signature: _________________________ | |
| Name: [Superintendent Name] | |
| Title: Superintendent | |
| Date: _____________ | |
| **Amazon Web Services, Inc.** | |
| Signature: _________________________ | |
| Name: [AWS Representative Name] | |
| Title: [Title] | |
| Date: _____________ | |
| ----- | |
| **Attachments:** | |
| - Exhibit A: Technical Specifications and Architecture | |
| - Exhibit B: Data Processing Addendum | |
| - Exhibit C: Acceptable Use Policy | |
| - Exhibit D: Incident Response Procedures | |
| - Exhibit E: Student Data Privacy Certification |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment