EFFECTIVE July 1, 2021

TABLE OF CONTENTS

• 1. Definitions
• 2. Educator selected subprocessors
• 3. Our data stores

1. Definitions

1.1 "Subprocessors" are data processing entities engaged by Boom Learning to fulfill our obligations with respect to providing the Services. We disclose our subprocessors in this document.

1.2 "Subcontractors" are entities or persons that carry out work for Boom Learning as part of a larger project. Boom Learning uses subcontractors to perform some technical support for Educators. Subcontractors do not have access to Student Data.

1.2 "Vendors" provide Boom Learning with a variety of Services we need to perform our business, such as tax collection and reporting, payment processing, software development, and testing. Some vendors are subprocessors. We disclose our vendors who are subprocessors in this document.

2. Educator selected subprocessors

2.1 Authentication services

Educators may use certain third-party authentication services with Boom Learning, including but not limited to Canvas, Google, Microsoft, Clever, and ClassLink. The information delivered to us is determined by the third-party authentication service. At any time, and in our sole discretion, we may decommission any third-party authentication method we deem to be a security or privacy risk. We are liable to you for any privacy risk to you or your students arising from our failure to correctly implement an authentication method in accordance with the specifications of the third-party authentication service. We are not liable for any risk or claims arising from your implementation, management, or deployment practices from your selected authentication service. We are not liable to you for misconduct, design failures, or security risks—deliberate or inadvertent—by your selected third-party authentication service.

2.2 Data sharing subprocessors

In addition to third-party authentication services, you may select a subprocessor to exchange data with us, securely or in an insecure matter. Your use of those third-party subprocessors is subject to your agreement with the third party, especially regarding advertising, tracking, and marketing to your users based on their use of the third-party service.

We are not liable to you for misconduct, design failures, or security risks, deliberate or inadvertent, by your selected third-party subprocessor or your failure to correctly configure the subprocessor's services. You are responsible for evaluating and selecting third-party subprocessors that meet your legal obligations.

2.3 Video delivery subprocessors

We may enable you to embed links to video from a variety of sources for use in decks delivered solely to your Students.  

We are not liable to you for misconduct, design failures, or security risks, deliberate or inadvertent, by your selected third-party subprocessor or your failure to correctly configure the subprocessor's services. You are responsible for evaluating and selecting third-party subprocessors that meet your legal obligation, including disclosure, consent, tracking for advertising purposes, and delivery of advertisements.

3. Our data stores

3.1 The Boom Learning database

The Boom Learning database stores Student, Educator, and Public Author data. The Boom Learning database is encrypted in motion and at rest. This database is hosted by (and thus disclosed to) subprocessors MongoDB (see Section 6) hosted on Amazon Web Services (AWS) under obligations of confidentiality and with no right of use of personal data. 

• Security measures for MongoDB Atlas are available here.
• Security measures for AWS are available here.
• Privacy statements from AWS are available here.

We replicate a subset of teacher and school information from the Boom Learning Database to Azure for performance reasons so we can analyze patterns for product improvement purposes (the "Azure database"). We do not replicate any student data in the Azure database. Learn more about security and privacy measures at the Microsoft Trust Center.

3.2 App Store Providers

If you download and install one of our Boom Cards native apps, you and your Students will be subject to the tracking and monitoring policies of the applicable applications store. We provide apps through the following applications stores:

1. The Apple App Store
2. The Google Play Store
3. The Kindle Fire Store

3.3 Freshworks data stores

Communications sent to our Help Center, which may be from Educators, Public authors, parents, entity personnel, general members of the public, and occasionally students are stored in the Freshworks ecosystem in the data store appropriate to the form of contact, including FreshDesk (Help tickets), FreshCaller (voicemail messages), FreshChat (chat contacts), and FreshSales (purchasing contacts). 

• Students who contact us are redirected to their Educator. 
• Parents and legal guardians will be redirected to their Educator unless they are contacting us to request to use our Services directly.
• For all other users, we store your contact information to respond to your requests for information from us or to provide you with educator materials about using our products, system notices, and other opt in requested messages.

The Freshworks data stores may store your contact information, communications sent, device model, IP address, and usage patterns. 

• You can see terms of our agreement with Freshworks here (Section 3 and the Data Processing Addendum).
• You can see Freshworks security measures here. 

3.4 Newsletters, transactional messages, and email

We communicate with Educators and other adults using newsletters, transactional messages, and email. You may be contacted by us using one or more of these methods:

• ActiveCampaign (email education, newsletters, and announcements)
• SparkPost (password resets, confirmations, and other transactional notices)
• Microsoft (emails, file shares, information collection and storage, and other secure document sharing)

Our email service providers may supply us with a range of information about your communications with us, including IP addresses, your country, state or province, history of reading or receiving newsletters, and your approximate location. The source of this information is your interactions with the email service and/or third-parties.

3.5 Additional data stores for Educators and entities

We use a variety of banking and payment processors. If you pay us money or receive money from us, your name, address, and contact data may be stored in one or more of these systems we use for payment and accounting purposes:

• Intuit
• Stripe
• PayPal
• Chase
• BECU 
• The Hagen Firm and Liscio

We may store documents received from you in one of these locations.

• Microsoft (emails, file shares, information collection and storage, and other secure document sharing)
• Atlassian (details of customer-requested features or bug requests)
• Adobe Cloud (agreements)
• Contractbook (agreements)

We store your contact information with The Hartford to provide you with Insurance certificates. Customer-requested features entered into Atlassian are shared with our development and test teams at A4 Technologies and Poeta Digital.

3.6 Additional data stores applicable only to Public Authors 

For tax reporting and payment purposes, your data may be stored with Gusto (payment and 1099). We may occasionally communicate with you using the Google ecosystem (Forms, Drive, etc.). We may allow you to participate in our Pinterest or Tailwind sites.

3.7 External marketing services directed to adults

We maintain a presence on several social media sites for marketing and community-building purposes. Please see our sales and marketing privacy policy for terms covering your interactions with our marketing properties. 

3.8 Contract Filing and Management

We use Contractbook for contract filing and management, and Adobe Cloud to modify and sign contracts.

• Contractbook
• Adobe Cloud

4. Analytics

We use Google Analytics G4. We have GDPR controls turned on. We anonymize data we send to Google. You can see Google's privacy policy here - https://policies.google.com/privacy?hl=en-US.