Data Privacy
and Security Plan

1. This plan explains how Boom Learning protects student data. It is offered to address legal requirements in certain jurisdictions to demonstrate the policies, procedures, and other measures we use regarding Student Personally Identifiable Information (“Student Data").*
2. This plan is not a comprehensive statement of our security practices. For more information about our application and data security measures or to ask us to answer specific security questions, please send a request to our Sales Team.

1. We use industry-recognized measures to protect student data. We contract with several companies to help with our operations, including providers of secure facilities to host our application software and the databases that hold student data. If these companies store or have access to student data, we refer to them as “subprocessors.”  
2. We maintain a list of our subprocessors. We perform due diligence regarding security and privacy practices in our selection of subprocessors and other subcontractors to confirm they can meet their obligations to us and to you. These companies can’t use or share student data without permission from us.

1. NIST Cybersecurity Framework 
   1. We use the NIST Cybersecurity Framework to guide the development and implementation of our security practices.
   2. We’ve adopted measures including limiting unsuccessful login attempts, not persisting student data on devices, creating audit logs, requiring password rules, and conducting regular risk assessments, at least annually.
2. Data Minimization 
   1. We minimize the student data we collect and retain.
   2. We actively delete student data that is not necessary for our purposes and no longer has value for Educators or Entities.
   3. We offer self-help features so educators may remove student data from our systems when it is no longer necessary to keep.
   4. Within the Boom App, we provide a variety of choices so you can also practice data minimization, including the ability to use pseudonyms and the ability to delete student records.
3. Need-to-Know Access: Our policies require that only people with a “need to know” can access student data.
4. Background Checks: Boom Learning employees with access to student data must pass a background check.
5. Subcontractors: We have agreements with each of our subcontractors who may access student data. Those agreements impose security measures consistent with those imposed on Boom Learning.
6. Encryption
   1. Student data is encrypted when stored and transferred using methods permitted by the Secretary of the United States Department of Health and Human Services guidance issued under Section 13402(H)(2) of Public Law 111-5.
   2. We use strong encryption methods, including standards at or stronger than Transport Security Layer (TLS) 1.2 (at a minimum) for encryption in transit and AES256 for encryption at rest.
7. Authenticated Access
   1. Student data is only accessed through accounts that are authenticated.
   2. An organization administrator can see each user's available online contact information in the account. Student performance is limited to the Educators associated with the student.
   3. User password information that we hold is hashed and salted. Educators set and reset student passwords.
   4. On request, we will provide access to entity staff who are not on an account after sufficient proof of a legal right to the information is provided.
8. Portable Devices
   1. We use portable devices to access our servers. These devices have passcodes and can be erased remotely if lost. Student data is not persistently stored on these devices.

   2. A third-party security operations team monitors our portable devices around the clock.

9. Backups:  We back up student data continuously for recovery purposes. Backups are stored in encrypted form. Backups are not used to recover student data deleted by an Educator. Backups are stored for a limited period.

Training: All Boom Learning employees and subcontractors who are granted authorization to access student data are trained annually on security and privacy. Training includes threat awareness, threat protection, best practices, emerging threats, and company policies.

1. Educators can review and delete inaccurate student data generated by their students. Educators can contact us for help.
2. Parents and students may challenge data accuracy by contacting their Educators.
3. We redirect any data subject requests made to us by students or parents to their Educators or to their entity administrators.

1. Export and Transfer: Using our tools, educators can share and export student data and some categories of Educator data.
2. Self-Help Deletion Tools 
   1. Student Data
      
      1. Student data deletion is permanent and cannot be undone.
      2. We provide self-help tools for Educators to delete student data.
   2. Educator Boom App Data
      1. Educators who directly purchase accounts can delete their own accounts.
      2. Entity account administrators can delete Educators associated with their Entity.
      3. When Educator is deleted from the Boom App, it may exist for a short period in a backup. When the Boom App account backup period expires, we de-identify the Boom App account and retain certain records for financial and auditing purposes.
3. Automated Deletion
   
   1. Expired accounts are scheduled for deletion. We automatically delete accounts and data that meet certain criteria. The account administrator of record is notified before deletion.
   2. An Educator account and all associated student data is automatically scheduled for deletion when
      1. The Educator account is not associated with an Entity account,
      2. The Educator account was created at least 365 days ago,
      3. Any paid subscription has expired or the account never had a paid subscription,
      4. The Educator has not logged in for 365 days,
      5. The pen name is unlocked, and
      6. There are no outstanding payable credits.
   3. For Entity accounts, after the subscription expires and after a reasonable period to ensure renewal is not planned, we will delete the account including associated student and Educator data, retaining some Entity and Educator data for financial reporting and security auditing. 
4. Contact Management System ("CMS") Educator Data
   1. Deleting an Educator account from the Boom App unsubscribes the Educator from our newsletters in our CMS.
   2. We retain the Educator as a contact in our CMS for a reasonable period to provide customer service. If we see no intent to re-engage, we reserve the right to delete the contact information entirely. Our CMS retains records for 30 days after a deletion request, after which the deletion is permanent.
5. Contact Us
   1. You can contact us for help with deleting accounts.  You agree to give us 10 days so we can confirm that the person making the request has the right to delete the account. You may also ask us what we know about you as part of a data request.
   2. We can only process your request if we are the data controller for the information. If we are not the data controller, we will redirect the request to the data controller.

1. Educators and Entities share the responsibility of using adequate security measures to protect student data. They are expected to protect passwords, not share accounts, and utilize features that we make available to keep student data protected.
2. You agree to protect Boom App User Data in your accounts by using reasonable security measures, like
   1. strong passwords,
   2. attending or giving training on security measures,
   3. keeping login information private to only yourself, and
   4. teaching your students about reasonable security practices.

1. Investigations and Breaches
   1. We Treat unauthorized access to personally identifiable information (“PII”) as a security incident. We investigate all security incidents. We maintain a security response plan and a security incident tracking system. Not all security incidents are Data Breaches.
   2. A "Data Breach" is an unauthorized release of PII that
      1. compromises the confidentiality or integrity of the PII,
      2. in a way reasonably likely to harm the data subject, and
      3. that harm is likely to be substantial (such as financial information, account credentials, or medical information).
   3. It is a security incident, but not a data breach, when there is unauthorized access to PII and 
      1. The PII was encrypted, and the encryption key was not accessed or acquired; or
      2. The person obtaining unauthorized access is at the same entity as the account holder and has the same confidentiality obligations to the data subject as the account holder.
2. Notices for Data Breaches
   
   1. We notify Educators and Entity Administrators of Data Breaches. They in turn must inform students and parents if student data is affected. If we have a signed data protection agreement with an Entity, the terms of that agreement control.
   2. If we determine that personal information was involved, we will provide notice as soon as reasonably possible (within 7 days but usually more quickly). Notices will include in plain language (a) what happened, (b) what PII was involved, (c) any information we have about when the incident occurred, (d) what we are doing, (e) what you can do, and (f), if applicable, how to obtain more information about the investigation and/or resolution.
3. Security Incident Notices: We may inform affected parties of security incidents that are not Data Breaches. For example, we may inform targets of a phishing attack launched against them.
4. Law Enforcement and Regulators: We notify appropriate authorities or regulators of Data Breaches as required by law. We follow law enforcement instructions to delay notice if needed.