Terms of Service — AI Innovation Index
Effective Date: September 16, 2025 Governing Law/Venue: Commonwealth of Virginia, USA
Parties. These Terms of Service ("Terms") are between AI for Equity ("Provider," "we," "us," "our") and the subscribing School System ("Customer"). By enabling participation, Customer accepts these Terms.
A. Scope & Services
Provider operates the AI Innovation Index participant portal (the "Service"), through which participating School Systems, twice per year: (i) complete one C‑suite self‑assessment; (ii) have staff complete a four‑question, closed‑ended pulse survey; and (iii) have students complete a four‑question, closed‑ended, anonymous pulse survey in Grades 5–12. In return, participating School Systems receive the ability to (a) triangulate data across students, staff, and leadership; (b) contextualize performance and progress versus national norms; (c) identify top‑performing systems across all AI Innovation Index metrics; and (d) access resources, artifacts, and program supports aligned to the AI Innovation Index. The Service is accessible only to participating School Systems and their authorized staff; it is not a public website. Access to the participant portal requires a managed staff/admin account provisioned by the Customer. Students do not have accounts and access Student Endpoints without login. The Service includes no social networking, public posting, or user‑to‑user interaction features.
B. Student Endpoints (Design Constraints)
Student survey pages (the "Student Endpoints") are engineered so that Provider (i) collects only answer choices, (ii) sets a first‑party, strictly‑necessary session/security cookie for integrity and abuse prevention, and (iii) does not use third‑party tags or analytics on Student Endpoints. No names, emails, student IDs, demographics, free‑text fields, device IDs, advertising identifiers, or third‑party cookies are used on Student Endpoints. The Student Survey Privacy Notice is prominently linked to at the top of each Student Endpoint.
C. Customer Responsibilities
Customer will (i) authorize participation solely for bona fide educational purposes and (ii) not attempt to re‑identify individuals from aggregates. Customer will not (a) introduce third‑party tags/trackers on Student Endpoints; (b) attempt to circumvent suppression thresholds or link any telemetry to response records; or (c) use the Service for advertising, profiling, or unrelated purposes. Provider does not share personal information with third parties for their advertising or marketing purposes. We do not display advertisements—contextual, targeted, or otherwise—anywhere in the Service, including Student Endpoints and the staff/admin participant portal. Customer is responsible for any legally required notices, consents, or opt‑outs (e.g., under FERPA/PPRA/state parental‑rights laws). Provider will implement reasonable technical controls to honor Customer‑supplied suppression/opt‑out lists.
D. Data Processing & Privacy
For staff/admin personal information, Provider acts as Customer's service provider/contractor under applicable state laws; we do not sell or share such personal information and process it only to deliver the Service. We will assist Customer with legally required staff/admin privacy requests. Student Endpoints collect only answer choices plus a first‑party session/security cookie used solely for support for internal operations (security, session integrity, reliability). Provider does not use student data for advertising or unrelated profiling and maintains the Student Survey Privacy Notice describing the cookie and retention. If future features would add additional persistent identifiers, Provider will implement required notices/controls before enabling them. The Privacy Policy is incorporated by reference and governs data handling, thresholds, subprocessors, and security practices.
Nothing in these Terms purports to bind parents or students to Provider's dispute‑resolution or other contractual terms by virtue of COPPA or school authorization.
We do not sell or rent personal information, including student information and staff/admin information. We also do not sell de‑identified or aggregate student data. We do not share personal information with third parties for their advertising or marketing purposes, and our service providers may not use personal information for marketing. We do not allow third parties to create advertising profiles from our data, perform data enhancement for advertising, or engage in automated decision‑making for ad targeting. These disclosures to service providers are not sales or 'sharing' for cross‑context behavioral advertising.
E. Reporting & Disclosure‑Avoidance
We publish only aggregate results meeting k ≥ 15 with complementary suppression and additional rounding/suppression to prevent back‑calculation. We do not make any personal information publicly visible. Within the participant portal only, we will display School System names achieving 3/4 or 4/4 on scored metrics.
F. Subprocessors
Provider maintains a current Subprocessor List internally for operational purposes. Customers may request the list at any time to see the latest approved providers. Hosting is on Heroku (Salesforce) in the United States. Student Endpoints are served without third‑party tags.
Service-provider contracts. Each service provider that processes personal information on our behalf is bound by a written agreement that (i) processes personal information only on our documented instructions; (ii) implements appropriate security; (iii) prohibits secondary use or onward disclosure except as required by law; (iv) provides prior notice of any new sub-processors, flows down equivalent obligations, and, where feasible, offers a right to object or to terminate the affected component; (v) promptly notifies us of any incident affecting personal information; and (vi) deletes or returns personal information at the end of the engagement.
G. Security & Incident Response
Provider aligns with the NIST Privacy Framework; uses encryption in transit, role‑based access and least privilege, and Multi-Factor Authentication (MFA) for admin accounts, with MFA required for super‑admin accounts. Quarterly external vulnerability scans and an annual third‑party penetration test are on our security roadmap. We enforce password complexity and account lockouts after repeated failed logins for staff/admin accounts, support multi‑factor authentication, and notify users of unusual account activity. Users can view recent login activity in their account. Provider will notify Customer of a confirmed breach without undue delay and no later than 72 hours after confirmation, with details sufficient for legal notifications and mitigation.
H. Confidentiality
Each party will protect the other's non‑public information and use it only to perform under these Terms.
I. IP; Feedback
Provider owns the Service, documentation, de‑identified/aggregate insights, and improvements. Feedback may be used to improve the Service.
J. Warranties & Disclaimers
Provider will deliver the Service in a professional manner consistent with industry practice. EXCEPT AS STATED, THE SERVICE IS PROVIDED "AS IS." ALL IMPLIED WARRANTIES ARE DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY LAW.
K. Indemnity (IP)
IP infringement remedy (narrow). If the Service, as provided by Provider, is finally adjudicated to infringe a U.S. intellectual property right, Provider will, at its expense and as Customer's sole remedy: (i) procure the right for Customer to continue using the Service; (ii) replace or modify the Service so it is non‑infringing and materially equivalent; or (iii) if (i)–(ii) are not commercially reasonable, terminate the affected component and provide a pro‑rata refund of any prepaid fees (if any) for the remaining term. This obligation does not apply to claims arising from combinations not supplied by Provider, use not in accordance with documentation, or Customer‑provided content.
L. Liability Cap
NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES. TOTAL LIABILITY OF EACH PARTY arising out of or related to the Service is limited to the greater of USD $10,000 or the fees (if any) paid by Customer to Provider in the 12 months preceding the event giving rise to the claim. [Optional carve‑outs for willful misconduct or breach of confidentiality/security may be negotiated.]
M. Term & Termination
Either party may terminate for uncured material breach (30 days' notice). On termination, Provider will cease access and delete or de‑identify Customer data per the Privacy Policy, including the timelines and processes described in §I and §K.
N. Venue
These Terms are governed by the laws of the Commonwealth of Virginia. Exclusive venue is the state or federal courts in Virginia; the parties consent to personal jurisdiction.
O. Assignment & Business Transfers
In the event of a merger, acquisition, reorganization, or bankruptcy, Customer data and these Terms may be assigned to a successor subject to the same privacy, security, and deletion commitments. We will notify Customer administrators prior to any transfer where feasible.