An operator shall:
(1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the student data to protect that information from unauthorized access, destruction, use, modification, or disclosure, which shall, at a minimum, comply with the Department of Technology and Information's Cloud and Offsite Hosting Policy and include the terms and conditions set forth in the Department of Technology and Information's Cloud and Offsite Hosting Template for Non-Public Data.
(2) Delete a student's data within a reasonable timeframe not to exceed 45 calendar days if a school district or school requests deletion of data under the control of the school district or school.