Privacy Policy for Measuring Up Live

Data handling and privacy policy for Measuring Up Live.

Overview

Perfection Learning Corporation (“PLC”), the makers of the website Measuring Up Live (“MUL”) and the Measuring Up Programs, is committed to assuring the privacy of student users (“Students”) of our educational products and services (“Services”), the Teachers, Administrators, and other applicable Faculty of educational institutions that subscribe to our Services (“Faculty”), and visitors to MUL.

This Data Handling and Privacy Policy sets forth our information handling practices and obligations with respect to data we gather and use in delivering Services to Students and Faculty through subscribing schools, school districts, and other educational institutions (collectively, “Service Data”).

This Data Handling and Privacy Policy also separately describes the information (other than Service Data) that we gather from users of MUL, how we use that information, and what we do to protect it. By visiting or using MUL, you expressly consent to the information handling practices described in this Data Handling and Privacy Policy. Your use of MUL and any information you provide via MUL are subject to the terms of this Data Handling and Privacy Policy.

Service Use and Service Data

PLC provides Services solely to and through subscribing schools, school districts, and other educational institutions (“Schools”). Identity information for Students and Faculty for Service delivery is provided to PLC by Schools and is not separately solicited by PLC. The information provided to us by Schools may include certain individually identifiable information, including Students’ names and grade levels and Faculty names, titles, and email addresses. We also collect and record data identifiable to individual Students and Faculty regarding their use or administration of, and interaction with, our Services. At the request of a School, we may also accept and include in reports we provide to the school additional Student data, including class name, room number, race/ethnicity, socioeconomic status, disability, and other information. Collectively, the information we receive regarding Students and Faculty that is generated through their interaction with our Services constitutes Service Data as defined above.

PLC uses Service Data solely to deliver the Services to and through associated Schools, provide Students with individualized content within those Services, and provide Faculty with reports on Students’ academic progress in using the Services. PLC does not collect any more individually identifiable information about Students and Faculty than is reasonably necessary to administer and provide our Services and individualized content to Students and their Schools, or to generate School-requested reports on individual Student academic progress.

Except as directed by the responsible subscribing School, PLC does not disclose Student or Faculty information or other Service Data that is identifiable to an individual to third parties.

Students and Faculty are provided private usernames and passwords to access applicable Services and associated Service Data by PLC. These identification credentials allow Students to gain access to the Services to which their Schools subscribe and allow Faculty to create assignments and track Student progress and assignment completion. PLC Services and associated Service Data are not made accessible to anyone other than our employees, contractors, and agents involved in Service development, delivery, and administration and those accessing the Services or associated Service Data using assigned usernames and passwords.

If the parent or legal guardian of a Student wants to review the information that PLC has collected through MUL about the Student or learn more about the Service(s) the Student is participating in, he or she should contact the Student’s School.

PLC makes reasonable efforts to secure Service Data against unauthorized access. These efforts include employment of physical, administrative, and technical safeguards based on currently available technology and practices to promote the integrity and security of the Services and Service Data.

General Terms for Website User Data

PLC does not require MUL visitors to register and does not solicit personal information as a condition to visitor access to general information on our website. For Students and Faculty who access our Services through MUL, specific terms applicable to collection and use of Service Data are described above, but the following terms also apply to your use of the MUL, including access to Services through the Website.

Use of Information Collected

Like most websites we may send one or more cookies – small text files containing a string of alphanumeric characters – to the device by which you access MUL. Cookies collect about user activities on a website. Their use enables us to provide a more personalized experience to visitors, including Students and Faculty who access Services through MUL. When a user logs out of MUL, his/her data is wiped out from the session. As well, if he/she closes the browser the data is wiped out after session timeout. The session time out is 20 minutes. PLC guides and instructs users to always use the log out function when finished.

PLC does use Google Analytics™, a third-party service provider, to track visitors coming to the MUL login page. However, this third-party service provider is unable to pass the MUL login screen and therefore is unable to access any information on Students or Faculty.

Correspondence and Information Requests

Users of the MUL may submit comments, questions, and other correspondence and make requests for information about our Services via the website. Personal information submitted in connection with such correspondence and requests is treated consistent with this Privacy Policy. If you submit an item of correspondence that includes a testimonial about our Services, we may publish applicable portions of the correspondence for informational or marketing purposes. However, we will not identify the author of such correspondence using personal information provided unless we obtain the author’s consent to do so. For correspondence received from children we believe are under the age of 18, we will not identify them using provided personal information without their parent’s or guardian’s consent.

Access and Use of Collected Information

PLC permits access to information about MUL visitors only to those of its employees who have a legitimate operational reason for such access.

PLC does not rent or sell personal information that we collect to third parties.

In certain instances, PLC may work with business partners to improve our services or offerings. We may disclose aggregated anonymized statistical data to authorized business partners to conduct research on online education or assist in understanding the usage, viewing, and demographic patterns for certain Services and/or functionality on MUL.

PLC may also disclose MUL usage information if required to do so by law, or if we have a good-faith belief that such action is necessary to comply with local, state, federal, international, or other applicable laws (such as U.S. Copyright law) or respond to a court order, judicial or other government subpoena or warrant, or administrative request. In some cases, we may make such disclosures without first providing notice to applicable MUL users.

Personally Identifiable Information (PII)

PLC takes the protection of our customers’ data and information, especially student users, very seriously.

PLC handles all Service Data in a manner consistent with applicable laws and regulations, including, without limitation, the Federal Family Educational Rights and Privacy Act (FERPA), Student Online Personal Protection Act (SOPPA), Children Online Privacy Protection Act (COPPA), and other state student data privacy protection laws.

Educator Data Collected

District Administrators, School Administrators, Teachers for school to implement:

Required Data

Optional Data

First Name

Last Name

Email Address

Username

Password

Class*

Middle Name

Title

Phone

Student Data Collected

Required Data

Optional Data

First Name

Last Name

Student ID Number

Grade Level

Username

Password

Class*

Middle Name

Email Address

Gender

Date-of-Birth

Ethnicity

Migrant

Bilingual

Disadvantaged Status

ESL

Gifted Talented

LEP

Risk Type

At Risk Status

Special Education

Title 1

Title 1 Details

* Required dependent upon level of subscription access.

Employee and Third-Party Security and Privacy Training

Employees

Access to MUL data is limited to only a few PLC authorized personnel. All authorized personnel go through a stringent training process in best practices and procedures when handling the data and/or making modifications to MUL system. All PLC authorized personnel sign an information security agreement.

Authorized Third-Party Entities

All Authorized Third-Party Entities have limited access to the MUL data for the purpose of developing, implementing, or supporting clients go through the same stringent training process in best practices and procedures when handling the data and/or making modifications to MUL system.

Third-Party Entities are required to sign an information and security non-disclosure agreement and maybe used to support servicing customers. PLC nor its third-party entities are prohibited from transferring any data to third-parties for any of the folloiwing reasons:

Targeted advertising

Selling to data brokers

Providing to information resellers

Lending purposes

User advertisements

Personalized advertisements

Retargeted advertisements

Interest-based advertisements

Technologies and Services

MUL is Software as a Service (SaaS) and only requires a web browser and internet connection to access it. See MUL system requirements for supported browsers and devices information.

MUL is developed on Microsoft .NET Framework with JavaScript Frameworks and libraries. MUL is deployed on Microsoft Azure Cloud infrastructure based in the United States.

Microsoft Azure Cloud guarantees service availability 99.7% on a yearly basis. PLC guarantees 24/7 support team to address any inquiry.

Security Measures and Procedures

PLC makes reasonable efforts to secure MUL and the information users send to us against unauthorized access and corruption. These efforts include employment of physical, administrative, and technical safeguards based on currently available technology and practices to promote the integrity and security of Website user information we collect. PLC implements the best in cybersecurity and data management practices to protect customer connection, data access, and availability.

Infrastructure

Azure Portal Access

The Azure portal is accessible by authorized administrative users with multi-factor authentication (MFA).

RDP Servers Access

The MUL servers can be accessed only by a couple and authorized administrative users. It is required VPN authentication and connection. Remote desktop connection by public internet IP's is denied excepted the whitelisted.

1. VPN: PLC utilizes Fortinet Firewall and VPN connection to access MUL servers and databases.

2. Firewall: VPN firewall, Azure Firewall, and Virtual Machine firewall layers with restricted inbound and outbound policies are set up to filter and limit access.

3. Antivirus: All server (VMs) endpoints are protected with Webroot SecureAnywhere with restricted policies to protect the MUL environment. All administrative user endpoints are protected with Avast CloudCare with restricted policies.

4. Azure Virtual Machine (VM) Encryption: All VM and VM snapshot backups are stored in Azure Storage Accounts with private access and protected with Azure Vault Keys.

5. Azure Virtual Hard Drive (VHD) Encryption: All operation systems and data VHDs are encrypted with BitLocker, stored in Azure Storage Accounts with Private access, and protected with Azure Vault Keys.

Data Protection

1. Transportation Level: The data are encrypted with an SSL certificate by GodaddyCA©, renewed every two years.

2. Rest Level: The data are encrypted with Microsoft SQL Server 2014 Enterprise Edition SP3 utilizing Transparent Data Encryption (TDE) with AES 128-bit.

3. Database Backup and Transaction Log Backup: Following the backup policy, the database backups and transaction log backups are backed-up and stored on Azure Storage Accounts protected with security keys. All the backups are encrypted with the master key and asymmetric keys for restoration protection.

Backups

1. VM Servers Snapshot: A VM server snapshot backup policy is applied with daily virtual machine snapshot backups with 30 days retention for virtual machine snapshots stored at Azure Recovery Services Vault.

2. Database Backups: A Database backup policy is applied with weekly full database backups, with three times daily differential backups, followed by every five (5) minutes, transaction log backups with 60 days retention period.

3. Backups Reliabilities and Tests All backups are configured to be verified after the conclusion, and a CHEKSUM is performed before saving them to Azure Storage Account.

Replication

The backup files are stored in an account with Azure Geo-Replication on East US (Primary) and West US (Secondary). The MUL solution uses the Azure locally redundant storage (LRS) method.

Data Retention

The Faculty is retained in the MUL databases while there is a valid purchased order. After expiration, the District or School has thirty (30) days to export the student data or open a data extraction request to PLC team.

The data is exported in .csv file format, and after 30 days of the purchased order expiration data, all faculty data will be deleted entirely from the database. The data exported in .csv cannot be imported and restored at the state before data, and it is managed and stored by the customer's responsibility.

Disaster Recovery Plan

A DRP that is composed of alerts, procedures, documentation, software, data, and allocated human resources to address and tackle any critical issue to prevent disasters.

Emergency and Communication Services

If an emergency incident arises that involves the security of MUL data, PLC will immediately alert the main administrator on the MUL account via email.

Changes and Updates to this Privacy Policy

PLC may modify or revise this Privacy Policy from time to time. Changes to our Privacy Policy will become effective when posted, with an updated date of revision, on our website.

Contacting PLC

Please contact PLC with any questions or comments about this Privacy Policy by email at support@perfectionlearning.com or by mail at:

Perfection Learning Corporation

1000 North Second Avenue,

Logan, IA 51546-1061