Effective July 1, 2024 (Archived Version)
1. Boom App User Data Storage
The Boom App data stores contain Student Data and Adult Data (collectively "Boom App User Data"). Boom App User Data is protected using the methods described below in Safeguards, and is stored in secure facilities with firewall protection. Boom Learning engages the listed subprocessors to store and process Boom App User Data. Boom Learning carries out adequate due diligence to ensure that any subprocessor or subcontractor can meet its obligations to Boom Learning under the law. Boom Learning will remain responsible for its compliance with its data protection obligations and for any acts or omissions of a subprocessor or subcontractor that cause Boom Learning to breach any of its data privacy and security obligations to you.
With respect to each subprocessor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subprocessor agrees it has no independent right of access to, use of, or disclosure of the Boom App User Data. Boom Learning will ensure the subprocessor agrees to apply security measures consistent with or greater than those imposed on Boom Learning by law or contract.
From time-to-time, Boom Learning may engage subcontractors to perform duties on our behalf with respect to Boom App User Data. With respect to each subcontractor that has access to Boom App User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subcontractor must participate in annual privacy and security training, be subject to background checks if the subcontractor has access to Student Data, and use security measures consistent with those imposed on Boom Learning.
2. Safeguards
2.1 Privacy and Security by Design
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning implements appropriate technical and organizational measures to ensure a level of security appropriate to the nature of the data at risk and the risk of harm posed by exposure of the User Data to unauthorized persons.
2.2. NIST Cybersecurity Framework
Boom Learning has adopted the NIST Cybersecurity Framework as it is updated from time to time as its primary guidepost for selecting and implementing technologies, safeguards, and privacy practices. Boom Learning reserves the right to refer to and implement additional protection models where appropriate. Security practices implemented include but are not limited to (a) limiting unsuccessful login attempts, (b) not persisting User Data on devices, (c) remote log out for devices in the event of a lost, missing, or stolen device, (d) audit logs for activities posing a risk of breach and for actions that require accountability, (e) enforcing minimum password complexity, and (f) risk assessments of our practices and those of our subcontractors and subprocessors conducted on an ongoing basis and at least annually.
2.3 Data Minimization
Boom Learning practices data minimization. When working with an OAuth or LMS provider, if the service sends us data elements we did not explicitly request, our policy is to ignore and delete the additional data elements.
2.4. Need-to-know Access, Confidentiality Promises, and Background Checks
Boom Learning employees, agents, and subcontractors are provided access to User Data on a need-to-know basis. Those with access to Student Data or Educator financial data are required to pass a background check. Such users are subject to obligations of confidentiality consistent with the promises and obligations in our Privacy Notice.
2.5. Encryption
Data is encrypted in transit and at rest using technologies and methodologies specified and permitted by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. Secure transport layers are used to prevent unauthorized access. Our User Data and application access are TLS 1.2 for encryption in transit and AES256-CBC for encryption at rest.
2.6 Authenticated Access
User Data is only accessible through authenticated accounts. In the case where passwords are used they are hashed and salted. We provide tools for you to reset passwords. Student passwords are set and reset by Educators. Student Data is only accessible for Educators who have confirmed email addresses.
2.7 Portable Devices
Boom Learning uses portable computers and devices to access its servers. Portable computers and devices are secured with passcodes and passwords and are subject to remote erasure in the case of loss. Student Data is not stored on Boom Learning owned portable devices. A third-party security operations team (SOC) monitors our portables devices round the clock.
2.8 Backups
Boom Learning performs continuous data backups of User Data for system failure and disaster recovery purposes. Backups are encrypted. Backups are not used or accessed to recover Educator deleted data. If you say we should delete it, we take you at your word. Backups are stored only for as long as necessary to serve their recovery purpose.
3. Training
All employees and subcontractors who are granted authorization to access data are trained annually on Boom Learning’s security and privacy responsibilities and obligations, including threat awareness, threat protection, best practices and safeguards, and company policies and procedures. Training is conducted more frequently as a response to evolving threats.
4. Data Correction, Export, Transfer and Deletion
Boom Learning provides Educators with the ability to delete accounts, students, and student data logs to remove data.
4.1 Boom App User Data Correction
Educators have detailed log screens of student answers to evaluate the reliability of data reporting. Educators can delete logs that do not represent a true measure of student performance. Parents and students may challenge the accuracy of Student Data by contacting their Educators. Educators have a variety of tools throughout the app to update their user data. Educators may also contact us for assistance to perform corrections. Educators are the controller for the purposes of data subject requests made by parents or students and any data subject requests by a student or parent must be directed to the Educator.
4.2 Export and Transfer
Boom Learning provides a variety of tools for sharing and exporting Student Data between Educators (including parents who open an Educator account). See our FAQs, including
- Sharing Students (Colleagues)
- Student Data Reports (Grades and Progress)
- How to Export and Print Boom Reports
4.3 Deletion Self-Help Tools (including Data Subject Deletion Requests)
At any time, Educators may delete Student accounts or Educator accounts using the self-help tools provided. You may contact us for assistance. You agree to give us 10 days so we can confirm that the person making the request is you and has the right to delete the account. Deletion of student data is irrevocable and cannot be undone.
Educators are able to self-help to delete their own accounts. Data subject requests seeking confirmation that self-help deletion was effective may be made to our legal department.
4.4 Automated Boom App User Deletion
To comply with our legal obligations to not retain Student Data longer than necessary and as part of our data minimization best practices, we conduct automated Boom App User Deletion. Once a trigger is activated, the account enters the queue for deletion and will be deleted by an automated process. Educators will receive notice sent to the last email on file that an account has entered the automated deletion process. Negotiated automated deletion terms in an agreement with an Entity supersede this section.
4.4.1 Excluded Accounts
The following account types are excluded from our automated deletion process: Entity Accounts, Entity Admin Accounts, Entity Managed Educator Accounts, Entity Managed Student Accounts. Entity Educators must use the self-help tools to delete Student Users. Google Add On and Canvas are treated as Entity accounts. You may contact us to have any of these accounts deleted. All other accounts are subject to automated deletion in our discretion.
4.4.2 Triggers for Automated Deletion
An Educator account, and its associated Student accounts, will enter the queue for deletion when
- The Educator account is not associated with an Entity.
- The Educator account was created at least 365 days ago.
- The Educator has not logged in for 365 days.
- Any paid subscription has been expired for at least 60 days or the account has never had a paid subscription.
- The pen name is unlocked.
- And there are no outstanding credits.
Deleting an Educator account automatically deletes all student accounts associated with the Educator that have not been shared with another Educator. We keep de-identified financial records from deleted Educator accounts.
4.4.3 Automatic Deletion for All Student Data Older Than 1,095 Days
We reserve the right to delete any student play data from any account, including Excluded Accounts, regardless of subscription status, where play data is over 1095 days old. Contact us if for any reason you need help exporting data you need to keep for more than 1095 days.
5. Shared Responsibility
5.1 Educators and Entities Use Safeguards
Educators and Entities must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of User Data to unauthorized persons. Students' age and abilities should be considered when selecting the appropriate password model. More mature students should use more complex passwords than less mature students.
5.2 Educators and Entities Exercise Data Choice
Boom Learning provides you with choices on the Data Elements to deliver to Boom Learning. You should exercise those options considering harm to the data subject should data be exposed, taking into account the sensitivity of the data being collected, the risk of exposure, and the potential for harm if exposed. You have the option to allow the display of directory information to students and parents.
6. Security Incidents and Data Breaches
6.1 Security Investigations and Data Breaches
We conduct an investigation for all security incidents. A security incident is consists of unauthorized access to personally identifiable user data. We maintain a security response plan and a security incident tracking system. Not all security incidents are data breaches.
A "Data Breach" involves a release of personally identifiable user data that
- compromises the confidentiality or integrity of the personally identifiable user data and in doing so,
- is reasonably likely to cause harm to the data subjects impacted, and
- the harm is likely to be substantial (financial information, account credentials, medical information).
A security incident in which there is unauthorized access to user data that is encrypted is not a breach if the encryption key is not accessed or acquired. A security incident in which another person at the same entity with a similar confidentiality obligation to the data subject as the account holder accesses user data is also not a breach.
6.2 Notices for Data Breaches
In the event of a Data Breach involving personally identifiable Boom App User Data, we will provide notice to the account holders of records, namely Educators and in the case of schools, school admins, using the information we have on file. We do not collect or store parent or legal guardian contact information. Educators must inform students and parents if Student Data is affected. If we have a signed privacy agreement with you, the security incident terms of that agreement supersede any conflicting terms in this Section 6.
If personal information was involved, we will provide notice as soon as reasonably possible (within 7 days but usually more quickly). Notices will include in plain language (a) what happened, (b) what personally identifiable Boom App User Data was involved, (c) any information we have about when the incident occurred, (d) what we are doing, (e) what you can do, and (f), if applicable, how to obtain more information about the investigation and/or resolution.
6.3 Notices for Security Incidents
At our discretion, we inform affected parties of security incidents that do not arise to a data breach for informational and security purposes. These notice will contain the relevant information available to us and are directed to the affected parties as appropriate to their rights to be informed of the incident. For example, we may inform targets of a phishing attack launched against them. Such notices will include information we have and how to contact our security team for further information.
6.4 Notice and Law Enforcement and Regulators
We will provide notices of data breaches to the appropriate regulators where required by law, and we may elect to provide such notice, at our option and in our sole discretion, where not required by law, unless we are under a lawful contract to the contrary. We will comply with law enforcement instructions to delay issuing notice where necessary to further an investigation.