EFFECTIVE July 1, 2024 (Archived Version)

1. Definitions

"Boom App Users" are adult or student users who log in at wow.boomlearning.com, app.boomlearning.com, or boom.cards (all entry points to the "Boom App") and whose data is entered into or collected by the Boom App. The Boom App is a subset of the Services. It is possible to use the Boom App without using other services to limit the Subprocessors with which you interact.


"Subprocessors" are companies we hire to process customer data to help us provide the Services.


"Subcontractors" are people that work for us as part of a project. We sometimes use subcontractors to perform technical support or training for Educators. Subcontractors do not have access to Student Data.


"Vendors" provide services we need to perform our business. Examples include tax reporting and payment processing. If a Vendor has access to customer data, we disclose them as a subprocessor. You may have vendors you use also.

2. Educator ("you") selected subprocessors

You are responsible (liable) to us, your students and their families, and to your employees and contracted staff and vendors, for any risk or claims arising from your selection, implementation, configuration, management or deployment practices of your selected subprocessors. You are responsible (liable) for any misconduct, design failures, or security risks — deliberate or inadvertent — by your selected sub processors. You are responsible (liable) for training your students, families, employees and contracted staff and vendors on the correct usage of your selected sub processors. You must select subprocessors that will handle any personally identifiable information sent in a manner consistent with your legal obligations regarding the data sent.


Subprocessor TypeExemplarsPurposeYour Responsibilities and Options
Our Responsibilities and Options
Authentication Service Providers (OAuth Providers)
Canvas, Classlink, Clever, Google, Microsoft, SAML (on request)Secure authentication of identity and access privileges for Boom App Users


You may choose a supported OAuth Provider.We may block any OAuth Provider at any time if we determine there is a security or privacy risk.

We are responsible (liable) to you and your students if we fail to correctly implement an authentication method. Proper implementation means we followed the specifications of the authentication vendor.


We may delete any data delivered to us by an OAuth Provider that we determine is superfluous to delivering the Services (such as a middle name) as part of our data minimization practices.
Data Sharing SubprocessorsBox, Dropbox, Google Drive, OneDrive, SharepointShare documents securely with authentication and access controls. Select the subprocessor or use our selected subprocess (Microsoft OneDrive or Sharepoint) for materials with personally identifiable information or that are otherwise sensitive.Reject the use of an insecure subprocessor if we deem materials are sensitive and require an authenticated sharing method.
Email SubprocessorsGoogle Workspace, Microsoft OfficeSend email communicationsSelect your subprocessor for sending and receiving emails. Apply reasonable industry best practices to protect your email system from email based attacks — incoming or outgoing, including phishing attacks.We may block emails received from you that contain an attack. We will inform you if we learn our system has generate an attack. We will implement reasonable industry best practice to protect our email systems from email based attacks — incoming or outgoing, including phishing attacks. 
Video SubprocessorsScreenPal, Vimeo, YouTube, Google DriveTo embed links to video in decks you create to deliver to your Students. If used these will collect data about Boom App users.
You are responsible for your legal obligations to students with respect to disclosure, consent, tracking for advertising purposes, and delivery of advertisements, as may be applicable, for your selected subprocessor.We reserve the right to block or remove access to video subprocessors at any time, in our sole discretion, if we deem them a security or privacy risk.
Contract ProcessorsDocuSign, Adobe Sign, LearnPlatform, Student Data Privacy AllianceTo send us a contract for signatureUse one of our subprocessors for contracts or select your own.We require that you provide us a copy of the signed document if you do not use our subprocessor.


3. Our Boom App User data subprocessors

The following subprocessors are integrated with the Boom App and collect and store data about Boom App users.


NamePurposeLinks to Security and Privacy PoliciesWhat You Should Know
VimeoEmbedded Instructional VideosVimeoUsed for video delivery. We have a signed Data Processing Agreement for EU. May collect some data from students if a student watches a video.
MongoDBStorage of Boom App Data - including Adult and Student dataMongoDB
Security measures for MongoDB Atlas are available here.
This is the database where we store data entered into our created by the Boom app. It is encrypted in motion and at rest. We have a signed BAA with MongoDB. Adult and student data.
AWSHost of MongoDB Data StoreAmazon Web Service

Security measures are here.

Privacy statements are here.

AWS provides us physical servers in the United States on which the MongoDB database is stored. Adult and student data.
Microsoft AzureStore of selected subset of Adult MongoDB dataMicrosoft Trust CenterWe replicate select Adult data from the MongoDB data store to Azure for business operations, security, integrity, and product improvement purposes. We do not replicate student data to this database.
Galaxy/Meteor CloudApplication processing data Privacy Policy
Data Processing Agreement
Security and Systems Policy
Our Boom application which process data
ZCLOUD
Application processing dataPrivately negotiated agreementNot yet adopted but under consideration for adoption
Freshworks

Helpdesk services- including Freshdesk (help tickets), Freshworks Contact Center (voicemail and calls), and FreshChat (chat contacts).

You can see terms of our agreement with Freshworks here (Section 3 and the Data Processing Addendum).

You can see Freshworks security measures here.

We have a Freshworks Help Center integrated in our app accessible to adult users. We store your information to respond to your requests. Stored information may include contact information, user IDs, messages, device model, IP address, and usage patterns. Parents, legal guardians, and students who contact our Help Center by email are redirected to the Educator they are associated with.

ActiveCampaignEducational messages about how to use the product, feature updates, and important announcements.ActiveCampaignAdult users are added to automations and mailing lists to receive onboarding and important announcements. Users added to ActiveCampaign are marked by the type of user (organizationally managed or direct purchaser).
MessageBirdTransactional emailsMessageBirdTransactional emails such as mandatory notices, password resets, confirmations, receipts and similar messages.
BraintreePayment Processing

Braintree

This is our integrated third party payment card processor. When you make a payment you are interacting directly with Braintree through a PCI DSS 4.0 compliant connection.
PayPalPayment Processing

PayPal

Used by us to issue payments to Boom Cards authors.
Google Analytics G4Analytics for application performance, integrity and improvement purposesGoogle Analytics G4We have GDPR controls turned on. We anonymize Boom App user data we send to Google Analytics.


4. Our additional data subprocessors for interacting with adult users

The following additional subprocessors are used in our operations to support our interactions with adult users. See also our Cookie Policy.


NamePurposeLinks to Security and Privacy PoliciesWhat You Should Know
ZoomVideo Calls and Educational WebinarsZoom (for Business policies)Used for onboarding and educational webinars. May be used for meetings. 
Microsoft Office, including Teams, Bookings, Outlook, Sharepoint, OneDrive and moreMeeting and Webinars
Scheduling
Email
Document management
Microsoft Trust CenterUsed for onboarding and educational webinars.

Email may be routed to Freshworks

Used for secure document exchange
CyberclanSecurity services
CyberclanUsed for email security monitoring and forensics.
VimeoEmbedded Instructional VideosVimeoUsed for how to videos. We have a signed Data Processing Agreement for EU. May collect some data from students.
QuickbooksPayment Processing

Intuit


If you pay us money or receive money from us or we pay you money, your name, address, and contact data may be stored.
JB Morgan ChasePayment Processing

JP Morgan Chase


If you pay us money or receive money from us, your name, address, and contact data may be stored.
BECUPayment Processing

BECU


If you pay us money or receive money from us, your name, address, and contact data may be stored.
The Hagen FirmAccountingThe Hagen FirmIf you pay us money or receive money from us, your name, address, and contact data may be stored.
LiscioAccounting
Liscio
If you pay us money or receive money from us, your name, address, and contact data may be stored.
AsanaCustomer requestsAsana (for subscriber policies)May contain copies of images, videos or messages you send requesting an improvement or change
AtlassianCustomer requests and bug requestsAtlassianMay contain copies of images, videos or messages you send requesting an improvement or change. May be shared with select development and test subcontractors in India and/or Vietnam.
The HartfordInsurance CertficitesHartfordYour contact information is required to generate a certificate
ContractbookContract delivery and storage

Contractbook


Contracts we sign with you. Contracts are stored in the European Union.
Adobe CloudContract delivery and storage

Adobe Cloud


Contracts we sign with you
Student Data Privacy AllianceContract delivery and storageSDPA Privacy Policy
Contracts we sign with you
Google Analytics G4AnalyticsGoogle Analytics G4Used for to understand app performance for security, integrity, and improvement purposes.
ZapierIntegrations of the above toolsPrivacy Policy
Security and Compliance
Adoption being considered but not implemented at this time