Data Privacy
and Security Plan

1. Document Purpose and Scope
   
   1. This plan explains how Boom Learning protects student data. It is offered to address legal requirements in certain jurisdictions to demonstrate the policies, procedures, and other measures we use regarding personally identifiable information we receive from students using the Boom App as further described in our General Privacy Notice or our negotiated privacy agreement with you (“Student Data”).*
   2. This plan is not a comprehensive statement of our security practices. For more information about our application and data security measures or to ask us to answer specific security questions, please send a request to our Sales Team.
2. Student Data Storage
   
   1. We use industry-recognized measures to protect student data. We contract with several companies to help with our operations. These include providers of secure facilities to host our application software and the databases that hold student data. If these companies store or have access to student data, we refer to them as “subprocessors.”  
   2. We maintain a list of our subprocessors. We perform due diligence regarding security and privacy practices in our selection of subprocessors and other subcontractors to confirm they can meet their obligations to us and to you. These companies can’t use or share student data without permission from us.
3. Safeguards:
   1. NIST Cybersecurity Framework 
      1. We use the NIST Cybersecurity Framework to guide the development and implementation of our security practices.
      2. We’ve adopted measures including limiting unsuccessful login attempts, not persisting student data on devices, creating audit logs, requiring password rules, and conducting regular risk assessments, at least annually.
   2. Data Minimization 
      1. We minimize the student data we collect and retain.
      2. We actively delete student data that is not necessary for our purposes and no longer has value for Educators or our organizational customers (referred to below as “Districts”).
      3. We offer self-help features so educators may remove student data from our systems when it is no longer necessary to keep.
      4. Within the Boom App, we provide a variety of choices so you can also practice data minimization, including the ability to use pseudonyms and the ability to delete student records.
   3. Need-to-Know Access: Our policies require that only people with a “need to know” can access student data.
   4. Background Checks: Boom Learning employees with access to student data must pass a background check.
   5. Subcontractors: We have agreements with each of our subcontractors who may access student data. Those agreements impose security measures consistent with those imposed on Boom Learning.
   6. Encryption
      1. Student data is encrypted when stored and transferred using methods permitted by the Secretary of the United States Department of Health and Human Services guidance issued under Section 13402(H)(2) of Public Law 111-5.
      2. We use strong encryption methods, including standards at or stronger than Transport Security Layer (TLS) 1.2 (at a minimum) for encryption in transit and AES256 for encryption at rest.
   7. Authenticated Access
      1. Student data is only accessed through accounts that are authenticated.
      2. An organization administrator can see each user's available online contact information in the account. Student performance is limited to the Educators associated with the student.
      3. User password information that we hold is hashed and salted. Educators set and reset student passwords.
      4. On request, we will provide access to District staff who do not have a userid for a District’s account after sufficient proof of a legal right to the information is provided.
   8. Portable Devices
      1. We use portable devices to access our servers. These devices have passcodes and can be erased remotely if lost. Student data is not persistently stored on these devices.

      2. A third-party security operations team monitors our portable devices around the clock.

   9. Backups:  We back up student data continuously for recovery purposes. Backups are stored in encrypted form. Backups are not used to recover student data deleted by an Educator. Backups are stored for a limited period.

4. Training: All Boom Learning employees and subcontractors who are granted authorization to access student data are trained annually on security and privacy. Training includes threat awareness, threat protection, best practices, emerging threats, and company policies.

5. Student Data Corrections
   1. Educators can review and delete inaccurate student data generated by their students. Educators can contact us for help.
   2. Parents and students may challenge data accuracy by contacting their Educators.
   3. We redirect any data subject requests made to us by students or parents to their Educators or to their organization (district, school, therapy provider) administrator.
6. Export, Transfer, and Deletion
   1. Export and Transfer: Using our tools, Educators can share and export student data and some categories of Educator data.
   2. Self-Help Deletion Tools 
      1. Student Data
         
         1. Student data deletion is permanent and cannot be undone.
         2. We provide self-help tools for Educators to delete student data.
      2. Educator Boom App Data
         1. Educators who create an account through a direct subscription (or create their own free account) can delete their own accounts.
         2. District account administrators can delete Educators associated with their District account.
         3. When Educator is deleted from the Boom App, it may exist for a short period in a backup. When the Boom App account backup period expires, we de-identify the Educator account and retain certain records for financial and auditing purposes.
   3. Automated Deletion
      
      1. To preserve Student Data for your internal records, please use our export tools. Boom Learning is not designed or intended to be a record retention service.
      2. An Educator account and all associated Student Data is automatically scheduled for deletion when
         1. The Educator account is not associated with a District account,
         2. The Educator account was created at least 365 days ago,
         3. Any paid subscription has expired or the account never had a paid subscription,
         4. The Educator has not logged in for 365 days,
         5. The pen name is unlocked, and
         6. There are no outstanding payable credits.
      3. For District accounts, after the subscription expires and after a reasonable period to ensure renewal is not planned, we will delete the District’s account including associated Student Data and District managed Educator data, retaining some data for financial reporting and security auditing. 
      4. Starting July 1, 2026, we are instituting additional Student Data deletion practices that will affect all District and Educator accounts, whether or not the District or Educator account is expired.
         1. If a student account was created, but never logged into, that student account will be scheduled for deletion one year after the creation date.
         2. For Student Data in District accounts, if a student account was created, logged into, and student performance reports were created, and the last login date for the student was more than three years ago, we will schedule the account for deletion. Districts with current paid accounts may contact us to be exempted from this process.
         3. For Student Data where the student has not logged in for more than two years, we will schedule the account for deletion if the student account is either (a) associated with an individually purchased Educator account or (b) associated with a District and does not have any student performance data.
   4. Contact Management System ("CMS") Educator Data
      1. Deleting an Educator account from the Boom App unsubscribes the Educator from our newsletters in our CMS.
      2. We retain the Educator as a contact in our CMS for a reasonable period to provide customer service. If we see no intent to re-engage, we reserve the right to delete the contact information entirely. Our CMS retains records for 30 days after a deletion request, after which the deletion is permanent.
   5. Contact Us
      1. You can contact us for help with deleting accounts.  You agree to give us 10 business days to confirm that the person making the request has the right to delete the account and up to 45 days to process the deletion request if it is complex. You may also ask us what we know about you as part of a data request.
      2. We can only process your request if we are the data controller for the information. If we are not the data controller, we will redirect the request to the data controller.
7. Shared Responsibility
   1. Educators and Districts share the responsibility of using adequate security measures to protect student data. They are expected to protect passwords, not share accounts, and utilize features that we make available to keep student data protected.
   2. You agree to protect Boom App User Data in your accounts by using reasonable security measures, like
      1. strong passwords,
      2. attending or giving training on security measures,
      3. keeping login information private to only yourself, and
      4. teaching your students about reasonable security practices.
8. Security Incidents and Data Breaches
   1. Investigations and Breaches
      1. We treat unauthorized access to personally identifiable information (“PII”) as a security incident. We investigate all security incidents. We maintain a security response plan and a security incident tracking system. Not all security incidents are Data Breaches.
      2. A "Data Breach" is an unauthorized release of PII that
         1. compromises the confidentiality or integrity of the PII,
         2. in a way reasonably likely to harm the data subject, and
         3. that harm is likely to be substantial (such as financial information, account credentials, or medical information).
      3. It is a security incident, but not a data breach, when there is unauthorized access to PII and 
         1. The PII was encrypted, and the encryption key was not accessed or acquired; or
         2. The person obtaining unauthorized access is at the same entity as the account holder and has the same confidentiality obligations to the data subject as the account holder.
   2. Notices for Data Breaches
      
      1. We notify Educators and District Administrators of Data Breaches. They in turn must inform students and parents if student data is affected. If we have a signed data protection agreement with a District, the terms of that agreement control.
      2. If we determine that personal information was involved, we will provide notice as soon as reasonably possible (within 7 days but usually more quickly). Notices will include in plain language (a) what happened, (b) what PII was involved, (c) any information we have about when the incident occurred, (d) what we are doing, (e) what you can do, and (f), if applicable, how to obtain more information about the investigation and/or resolution.
   3. Security Incident Notices: We may inform affected parties of security incidents that are not Data Breaches. For example, we may inform targets of a phishing attack launched against them.
   4. Law Enforcement and Regulators: We notify appropriate authorities or regulators of Data Breaches as required by law. We follow law enforcement instructions to delay notice if needed.

*Boom Learning does not collect or store information or PII relating to annual performance reviews of teachers or principals (see NY Education Law §2-d).