Peoples Education Inc. dba Mastery Education

Measuring Up Live Data Handling and Privacy Policy

Last Reviewed or Updated: March 26th, 2021

Peoples Education Inc. dba Mastery Education (“ME”), the makers of the website Measuring Up
Live 2.0 (“MUL2”) and the Measuring Up Programs, is committed to assuring the privacy of
student users (“Students”) of our educational products and services (“Services”), the Teachers,
Administrators, and other applicable Faculty of educational institutions that subscribe to our
Services (“Faculty”), and visitors to MUL2.

This Data Handling and Privacy Policy sets forth our information handling practices and
obligations with respect to data we gather and use in delivering Services to Students and Faculty
through subscribing schools, school districts, and other educational institutions (collectively,
“Service Data”).

This Data Handling and Privacy Policy also separately describes the information (other than
Service Data) that we gather from users of MUL2, how we use that information, and what we do
to protect it. By visiting or using MUL2, you expressly consent to the information handling
practices described in this Data Handling and Privacy Policy. Your use of MUL2 and any
information you provide via MUL2 are subject to the terms of this Data Handling and Privacy
Policy.

Service Use and Service Data

ME provides Services solely to and through subscribing schools, school districts, and other
educational institutions (“Schools”). Identity information for Students and Faculty for Service
delivery is provided to ME by Schools and is not separately solicited by ME. The information
provided to us by Schools may include certain individually identifiable information, including
Students’ names and grade levels and Faculty names, titles, and email addresses. We also collect
and record data identifiable to individual Students and Faculty regarding their use or
administration of, and interaction with, our Services. At the request of a School, we may also
accept and include in reports we provide to the School additional Student data, including class
name, room number, race/ethnicity, socioeconomic status, disability, and other information.
Collectively, the information we receive regarding Students and Faculty that is generated through
their interaction with our Services constitutes Service Data as defined above.

ME uses Service Data solely to deliver the Services to and through associated Schools, provide
Students with individualized content within those Services, and provide Faculty with reports on
Students’ academic progress in using the Services. ME does not collect any more individually
identifiable information about Students and Faculty than is reasonably necessary to administer
and provide our Services and individualized content to Students and their Schools, or to generate
School-requested reports on individual Student academic progress.

Except as directed by the responsible subscribing School, ME does not disclose Student or
Faculty information or other Service Data that is identifiable to an individual to third parties.

Students and Faculty are provided private usernames and passwords to access applicable
Services and associated Service Data by ME. These identification credentials allow Students to
gain access to the Services to which their Schools subscribe and allow Faculty to create
assignments and track Student progress and assignment completion. ME Services and associated
Service Data are not made accessible to anyone other than our employees, contractors, and
agents involved in Service development, delivery, and administration and those accessing the
Services or associated Service Data using assigned usernames and passwords.

If the parent or legal guardian of a Student wants to review the information that ME has collected
through MUL2 about the Student or learn more about the Service(s) the Student is participating
in, he or she should contact the Student’s School.

ME makes reasonable efforts to secure Service Data against unauthorized access. These efforts
include employment of physical, administrative, and technical safeguards based on currently
available technology and practices to promote the integrity and security of the Services and
Service Data.

General Terms for Website User Data

ME does not require MUL2 visitors to register and does not solicit personal information as a
condition to visitor access to general information on our website. For Students and Faculty who
access our Services through MUL2, specific terms applicable to collection and use of Service Data
are described above, but the following terms also apply to your use of the MUL2, including
access to Services through the Website.

  1. Website Use Information Collected

    Like most websites we may send one or more cookies – small text files containing a string
    of alphanumeric characters – to the device by which you access MUL2. Cookies collect
    about user activities on a website. Their use enables us to provide a more personalized
    experience to visitors, including Students and Faculty who access Services through MUL2.
    When a user logs out of MUL2, his/her data is wiped out from the session. As well, if he/she
    closes the browser the data is wiped out after session timeout. The session time out is 20
    minutes. ME guides and instructs users to always use the log out function when finished.

    ME does use Google Analytics™, a third-party service provider, to track visitors coming to
    the MUL2 login page. However, this third-party service provider is unable to pass the MUL2
    login screen and therefore is unable to access any information on Students or Faculty.

  2. Correspondence and Information Requests

    Users of the MUL2 may submit comments, questions, and other correspondence and make
    requests for information about our Services via the website. Personal information
    submitted in connection with such correspondence and requests is treated consistent with
    this Privacy Policy. If you submit an item of correspondence that includes a testimonial
    about our Services, we may publish applicable portions of the correspondence for
    informational or marketing purposes. However, we will not identify the author of such
    correspondence using personal information provided unless we obtain the author’s
    consent to do so. For correspondence received from children we believe are under the age
    of 18, we will not identify them using provided personal information without their parent’s
    or guardian’s consent.

  3. Access and Use of Collected Information

    ME permits access to information about MUL2 visitors only to those of its employees who
    have a legitimate operational reason for such access.

    ME does not rent or sell personal information that we collect to third parties.

    In certain instances, ME may work with business partners to improve our services or
    offerings. We may disclose aggregated anonymized statistical data to authorized business
    partners to conduct research on online education or assist in understanding the usage,
    viewing, and demographic patterns for certain Services and/or functionality on MUL2.

    ME may also disclose MUL2 usage information if required to do so by law, or if we have a
    good-faith belief that such action is necessary to comply with local, state, federal,
    international, or other applicable laws (such as U.S. Copyright law) or respond to a court
    order, judicial or other government subpoena or warrant, or administrative request. In
    some cases, we may make such disclosures without first providing notice to applicable
    MUL2 users.

  4. Personally Identifiable Information (PII)

    ME takes the protection of our customers’ data and information, especially student users,
    very seriously.
    ME handles all Service Data in a manner consistent with applicable laws and regulations,
    including, without limitation, the Federal Family Educational Rights and Privacy Act
    (FERPA), California Student Online Personal Information Protection Act (SOPIPA), Children
    Online Privacy Protection Act (COPPA), and other state student data privacy protection
    laws.

    Educator data collected (District Administrators, School Administrators,
    Teachers) for schools to implement
    Required Data Optional Data
    First and last name Middle name
    Email Address Title
    Username Phone
    Password
    Class*

    Student data collected for schools to implement
    Required Data Optional Data
    First and last name Middle name ESL
    Student ID number Email Address Gifted Talented
    Grade level Gender LEP
    Username Date-of-birth Risk Type
    Password Ethnicity At Risk Status
    Class* Migrant Special Education
    Bilingual Title 1
    Disadvantaged Title 1 Details
    Status
    *Required dependent upon level of subscription access
  5. Employee and Third-Party Security and Privacy Training

    Employees
    Access to MUL2 data is limited to only a few ME authorized personnel. All authorized
    personnel go through a stringent training process in best practices and procedures when
    handling the data and/or making modifications to MUL2 system. All ME authorized
    personnel sign an information security agreement.

    Authorized Third-Party Entities
    All Authorized Third-Party Entities have limited access to the MUL2 data for the purpose of
    developing, implementing, or supporting clients go through the same stringent training
    process in best practices and procedures when handling the data and/or making
    modifications to MUL2 system. Third-Party Entities are required to sign an information and
    security non-disclosure agreement.

  6. Technologies and Services

    MUL2 is Software as a Service (SaaS) and only requires a web browser and internet
    connection to access it. See MUL2 system requirements for supported browsers and
    devices information.

    MUL2 is implemented using the following Microsoft based technologies.

    • Developed on a Microsoft .Net framework with JavaScript frameworks and libraries
    • Deployed on Microsoft Azure Cloud architecture

    Microsoft Azure Cloud guarantees service availability 99.7% on a yearly basis. ME
    guarantees 24/7 support team to address any inquiry.

  7. Security Measures and Procedures

    ME makes reasonable efforts to secure MUL2 and the information users send to us against
    unauthorized access and corruption. These efforts include employment of physical,
    administrative, and technical safeguards based on currently available technology and
    practices to promote the integrity and security of Website user information we collect. ME
    implements the best in cybersecurity and data management practices to protect customer
    connection, data access, and availability.

    1. Infrastructure

      1. Azure Portal Access: The Azure portal is accessible by authorized
        administrative users with multi-factor authentication (MFA).

      2. RDP Servers Access: The MUL2 servers can be accessed only by a couple and
        authorized administrative users. It is required VPN authentication and
        connection. Remote desktop connection by public internet IP's is denied
        excepted the whitelisted.

      3. VPN: ME utilizes Fortinet Firewall and VPN connection to access MUL2 servers
        and databases.

      4. Firewall: VPN firewall, Azure Firewall, and Virtual Machine firewall layers with
        restricted inbound and outbound policies are set up to filter and limit access.

      5. Antivirus: All server (VMs) endpoints are protected with Webroot
        SecureAnywhere with restricted policies to protect the MUL2 environment. All
        administrative user endpoints are protected with Avast CloudCare with restricted
        policies.

      6. Azure Virtual Machine (VM) Encryption: All VM and VM snapshot backups
        are stored in Azure Storage Accounts with private access and protected with
        Azure Vault Keys.

      7. Azure Virtual Hard Drive (VHD) Encryption: All operation systems and data
        VHDs are encrypted with BitLocker, stored in Azure Storage Accounts with
        Private access, and protected with Azure Vault Keys.

    2. Data Protection

      1. Transportation Level: The data are encrypted with an SSL certificate by
        ComodoCA©, renewed every two years.

      2. Rest Level: The data are encrypted with Microsoft SQL Server 2014 Enterprise
        Edition SP3 utilizing Transparent Data Encryption (TDE) with AES 128-bit.

      3. Database Backup and Transaction Log Backup: Following the backup policy,
        the database backups and transaction log backups are backed-up and stored on
        Azure Storage Accounts protected with security keys. All the backups are
        encrypted with the master key and asymmetric keys for restoration protection.

    3. Backups

      1. VM Servers Snapshot: A VM server snapshot backup policy is applied with
        daily virtual machine snapshot backups with 30 days retention for virtual
        machine snapshots stored at Azure Recovery Services Vault.

      2. Database Backups: A Database backup policy is applied with weekly full
        database backups, with three times daily differential backups, followed by every
        five (5) minutes, transaction log backups with 60 days retention period.

      3. Backups Reliabilities and Tests All backups are configured to be verified after
        the conclusion, and a CHEKSUM is performed before saving them to Azure
        Storage Account.

    4. Replication

      The backup files are stored in an account with Azure Geo-Replication on East US
      (Primary) and West US (Secondary). The MUL2 solution uses the Azure locally
      redundant storage (LRS) method.

    5. Data Retention

      The Faculty is retained in the MUL2 databases while there is a valid purchased order.
      After expiration, the District or School has thirty (30) days to export the student data or
      open a data extraction request to ME team.

      The data is exported in .csv file format, and after 30 days of the purchased order
      expiration data, all faculty data will be deleted entirely from the database. The data
      exported in .csv cannot be imported and restored at the state before data, and it is
      managed and stored by the customer's responsibility.

    6. Disaster Recovery Plan

      A DRP that is composed of alerts, procedures, documentation, software, data, and
      allocated human resources to address and tackle any critical issue to prevent disasters.

  8. Emergency and Communication Services

    If an emergency incident arises that involves the security of MUL2 data, ME will
    immediately alert the main administrator on the MUL2 account via email.

  9. Changes and Updates to this Privacy Policy

    ME may modify or revise this Privacy Policy from time to time. Changes to our Privacy
    Policy will become effective when posted, with an updated date of revision, on our
    Website.

  10. Contacting ME

    Please contact ME with any questions or comments about this Privacy Policy by email at
    support@perfectionlearning.com or by mail at: Peoples Education dba Mastery Education,
    25 Philips Parkway, Montvale NJ 07645.