Privacy and Security by Design

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons.  

Shared Responsibility

Educators and Entities must also implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of User Data to unauthorized persons. Students' age and abilities should be considered when selecting the appropriate password model. More mature students should use more complex passwords than less mature students. 

Data Minimization

Boom Learning provides you with choices on the Data Elements to deliver to Boom Learning. You should exercise those options considering harm to the data subject should data be exposed, taking into account the sensitivity of the data being collected, the risk of exposure, and the potential for harm if exposed. You have the option to allow the display of directory information to students and parents.

Data Deletion Self-Help & Data Correction

Boom Learning provides Educators with the ability to delete accounts, students, and data logs to remove data. Educators also have detailed log screens of student answers to evaluate the reliability of data reporting. Parents and students may challenge the accuracy of data by contacting their Educators. Educators may challenge the accuracy of data by contacting

At any time, Educators may delete a student, or contact us to request that we delete a student or your account in the event you are unable to use the self-help tools. You agree to give us 10 days so we can confirm that the person making the request is you and has the right to delete the account. Deletion cannot be undone. 

NIST Cybersecurity Framework

Boom Learning uses privacy by design and industry best practices to protect data, taking into account the nature of the data at risk and the risk of harm to data subjects. Boom Learning has adopted the NIST Cybersecurity Framework as it is updated from time to time as its primary guidepost for selecting and implementing technologies, safeguards, and privacy practices; provided however, that Boom Learning may refer to and implement other protection models where appropriate. Security practices implemented include but are not limited to (a) limiting unsuccessful login attempts, (b) not persisting mobile app data, (c) remote log out for devices for Educators in the event of a lost, missing, or stolen device, (d) audit logs for activities posing a risk of breach and for actions that require accountability, and (e) enforcing minimum password complexity. Adoption includes periodic risk assessments of our practices and those of our subcontractors and subprocessors. 

Need-to-know access

Boom Learning employees, agents, and subcontractors are provided access to User Data on a need-to-know basis. Those with access to Student Data or Educator financial data are required to pass a background check. Such users are subject to obligations of confidentiality consistent with the promises and obligations in our Privacy Notice. 


Data is encrypted in transit and at rest using technologies and methodologies specified and permitted by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. Secure transport layers are used to prevent unauthorized access.

Authenticated Access

Data is only accessible through authenticated accounts (username and password). Passwords are encrypted. We cannot see your password or your students’ passwords. We provide tools in the app for you to reset passwords. Student passwords are set and reset by teachers. Use good password practices to keep your students safe. Our team members use password managers, and you should, too. Student Data is only accessible for Educators who have confirmed email addresses.

Protected Data Stores

The Primary data store is the Boom Learning database. This database contains the Student Data and Educator Data. User Data is encrypted in transit and at rest, stored in secure facilities, and with firewall protection.  

Boom Learning engages subcontractors (acting in roles similar to employees) and subprocessors (cloud-based service providers) to store and process User Data. See our subprocessor and subcontractor disclosure for our list of the current subcontractors and subprocessors. Boom Learning carries out adequate due diligence to ensure that any subcontractor or subprocessor can meet its obligations to Boom Learning under the law. Boom Learning will remain responsible for its compliance with its data protection obligations and for any acts or omissions of a subcontractor or subprocessor that cause Boom Learning to breach any of its data privacy and security obligations to you.

With respect to each subcontractor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subcontractor must participate in annual privacy and security training, be subject to background checks if the subcontractor has access to Student Data, and use security measures consistent with those imposed on Boom Learning. 

With respect to each subprocessor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subprocessor agrees it has no right of access to, use of, or disclosure of the Protected Data and under which the subprocessor agrees to apply security measures consistent with or greater than those imposed on Boom Learning by law or contract.


All employees and subcontractors who are granted authorization to access data are trained annually on Boom Learning’s security and privacy responsibilities and obligations, including threat awareness, threat protection, best security practices and safeguards, and company policies and procedures. Training is conducted more frequently as a response to evolving threats within the education community. Boom Learning provides users with information bulletins about how to maintain the security of Protected Data. Users who opt out of our newsletters will not receive such bulletins. Educators may contact us if there are security concerns or questions.

Security Incidents

We conduct a standard investigation for all security incidents. In the event of a security incident involving User Data, we will contact the account holder for the affected individual(s) using the information we have on file. 

If personal information was involved, we will provide notice to the affected Educators as soon as reasonably possible (within 7 days but usually more quickly), provided that we may delay notice if a law enforcement agency determines that the notice will impede a criminal investigation. Such notice will include in plain language What Happened, What Information Was Involved, When It Occurred, What We are Doing, What You Can Do, and For More Information. 

Some Educators may receive notice sooner if we have a contract stating a shorter window. We may notify additional people if we have a contract requiring additional notifications. In most cases, we do not collect or store information about students that would enable us to contact students or their parents directly. Educators must inform students and parents if student data is affected. We do not issue notice to students or parents unless we are instructed to do so under a contract requiring us to do so.

We will provide notices of data breaches to the appropriate regulators where required by law, and we may elect to provide such notice, at our option and in our sole discretion, where not required by law, unless we are under a lawful contract to the contrary. 

Not all security incidents are data breaches.  A breach typically includes harm that can be substantial (financial information, account credentials, medical information). It does not include harms that you merely think might happen — harm must be reasonably likely. A breach typically:

  • compromises the confidentiality or integrity of the data and in doing so 
  • is likely to cause harm to the data subjects impacted. 

A security incident in which there is unauthorized access to data that is encrypted is not a breach if the encryption key is not accessed or acquired. A security incident in which another person at the same entity with a similar confidentiality obligation to the data subject as the account holder accesses User Data is also not a breach. 

Portable Devices

Boom Learning uses portable computers and devices to access its servers. Such portable computers and devices are secured with passcodes and passwords and are subject to remote erasure in the case of loss. In the rare instance that Student Data is temporarily stored offline, the data is stored encrypted at rest.


Boom Learning performs frequent data backups (hourly or better) for system failure and disaster recovery purposes. Backups are encrypted. Backups are not used or accessed to recover Educator deleted data. If you say we should delete it, we take you at your word. Backups are stored only for as long as necessary to serve their recovery purpose, approximately 90 days.

Data Export and Transfer

To transfer Student Data from one Educator to another, or to receive a machine-readable data dump from an account, please follow our FAQ instructions on how to share a student or export data records. We can only make full account transfers between employees of the same purchasing entity. HIPAA accounts are blocked from sharing student data records. HIPAA accounts can export data records.

Automated Data Deletion

We do not automatically delete Entity accounts. Contact us if you need help deleting an Entity account. Deleting an Entity account deletes all Educators and students associated with the account.

We do not automatically delete Educators from Entity owned accounts. Entity managers can contact us if they need help deleting an Educator in an Entity-owned account. 

We do automatically delete certain Educator accounts, including certain Public Author accounts. The triggers for deletion are

  • It has been more than 365 days since the account was created,
  • It has been more than 365 days since the Educator last logged in, and
  • The account does not have a current active paid subscription.

Deleting an Educator account automatically deletes all student accounts associated with the Educator that have not been shared with another Educator. We keep de-identified financial records from deleted Educator accounts. All other items are deleted. For Public Authors and some Educators, we keep any deck that was sold or shared with another Educator so that the recipient can continue to use the deck. 

We may delete student play data from all accounts, regardless of subscription status, where play data is over five years old. Contact us if for any reason you need help exporting data you need to keep for more than five years.

We schedule student accounts to be deleted automatically from our system when the following triggers are met for students created in Entity accounts:

  • The Entity account no longer has any active subscription.
  • The Entity subscription has been expired for at least 60 days.
  • The Entity account was created at least 365 days ago.
  • The Entity has no pending requests for renewal quotations.

Entities can use self-help tools or contact us for sooner deletion.

We schedule student accounts to be deleted automatically from our system when the following triggers are met for students created in Educator accounts not associated with an Entity:

  • The Educator account no longer has any active subscription.
  • The Educator has not logged in for at least 180 days.
  • The Educator account was created at least 180 days ago.

Entities can use self-help tools or contact us for sooner deletion.

Google Add On deletion - section added March 19, 2024

The Boom Google Add On is in development. When deployed we will disclose here the specifics of deletion. Due to the architecture of the Google Add On, deletion will be based on time elapsed since a last student action, rather than on the last teacher action.