TABLE OF CONTENTS

• Privacy and Security by Design 
• Data Minimization
• Data Accuracy/Correction Practices
• NIST Cybersecurity Framework
• Need-to-know access
• Encryption
• Authenticated Access
• Protected Data Stores
• Training
• Portable Devices
• Continuous backups

Privacy and Security by Design 

Taking into account the state of the art, the costs of implementation, and the nature, scope, context,and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons.  

Data Minimization

Boom Learning provides you with choices on the Data Elements to deliver to Boom Learning. You should exercise those options considering harm to the data subject should data be exposed, taking into account the sensitivity of the data being collected, the risk of exposure, and the potential for harm if exposed. You have the option to prevent display of directory information to students and parents. 

Data Accuracy/Correction Practices

Boom Learning provides Educators with the ability to delete data logs to remove data. Educators also have detailed log screens of student answers to evaluate the reliability of data reporting. Parents and students may challenge the accuracy of data by contacting their Educator. Educators may challenge the accuracy of data by contacting help@boomlearning.com.

NIST Cybersecurity Framework

Boom Learning uses privacy by design and industry best practices to protect data, taking into account the nature of the data at risk and the risk of harm to data subjects. Boom Learning has adopted the NIST Cybersecurity Framework as it is updated from time to time as its primary guidepost for selecting and implementing technologies, safeguards, and privacy practices; provided however, that Boom Learning may refer to and implement other protection models where appropriate. Security practices implemented include but are not limited to (a) limiting unsuccessful login attempts, (b) not persisting mobile app data, (c) remote log out for devices for Educators in the event of a lost, missing or stolen device, (d) audit logs for activities posing a risk of breach and for actions that require accountability, and (e) enforcing minimum password complexity. Adoption includes periodic risk assessment of our practices and those of our subcontractors and subprocessors. 

Need-to-know access

Boom Learning employees, agents, and subcontractors are provided access to User Data on a need-to-know basis. Those with access to Student Data or Educator financial data are required to pass a background check. Such users are subject to obligations of confidentiality consistent with the promises and obligations in our Privacy Notice. 

Encryption

Data is encrypted in transit and at rest using technologies and methodologies specified and permitted by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. Secure transport layers are used to prevent unauthorized access.

Authenticated Access

Data is only accessible through authenticated accounts. We require passwords at both the Educator and Student level to keep data safe. Passwords are encrypted. We cannot see your password or your students’ passwords. We provide tools in the app for you to reset passwords. Student passwords are set and reset by teachers. Use good password practices to keep your students safe. Our team members use password managers, and you should, too. Student Data is only accessible for those Educators who have confirmed email addresses.

The Primary data store is the Boom Learning database. This database contains the Student Data and Educator Data. User Data is encrypted in transit and at rest, stored in secure facilities and with firewall protection.  

Boom Learning engages subcontractors (acting in roles similar to employees) and subprocessors (cloud-based service providers) to store and process User Data. See our subprocessor and subcontractor disclosure for our list of the current subcontractors and subprocessors. Boom Learning will carry out adequate due diligence to ensure that any subcontractor or subprocessor can meet its obligations to Boom Learning under the law. Boom Learning will remain responsible for its compliance with its data protection obligations and for any acts or omissions of a subcontractor or subprocessor that cause Boom Learning to breach any of its data privacy and security obligations to you.

With respect to each subcontractor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subcontractor must participate in annual privacy and security training, be subject to background checks if the subcontractor has access to Student Data, and use security measures consistent with those imposed on Boom Learning. 

With respect to each subprocessor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subprocessor agrees it has no right of access to, use of, or disclosure of the Protected Data and under which the subprocessor agrees to apply security measures consistent with or greater than those imposed on Boom Learning by law or contract.

Training

All employees and subcontractors who are granted authorization to access data are trained annually on Boom Learning’s security and privacy responsibilities and obligations, including threat awareness, threat protection, best security practices and safeguards, and company policies and procedures. Training is conducted more frequently as a response to evolving threats within the education community. Boom Learning provides users with information bulletins about how to maintain the security of Protected Data. Users who opt out of our newsletters will not receive such bulletins. Educators may contact us if there are security concerns or questions.

Portable Devices

Boom Learning uses portable computers and devices to access its servers. Such portable computers and devices are secured with passcodes and passwords and are subject to remote erasure in the case of loss. In the rare instance that Student Data is temporarily stored offline, the data is stored encrypted at rest.