Table of Contents
- Introduction
- Definitions
- Types of Data Collected and Purpose
- Data Collection Protocols
- Data Storage and Protection
- Data Utilization
- Disclosure
- Data Retention
- Users in California
- Users in the European Union
- Security Incident Response
- Data Access and Correction
- Successor Entities
- User Responsibility
- Policy Consent
- Policy Updates
Introduction
As a digital education platform and service provider, QuaverEd interacts with a lot of sensitive data. This Privacy Policy describes how QuaverEd collects, utilizes, stores, transfers, and destroys sensitive data securely.
QuaverEd has a robust data security program in place to ensure the protection of the data we handle and to comply with all legal regulations, including FERPA and COPPA. We have a comprehensive data security manual detailing procedures for data collection, use, storage, transfer, destruction, and security incident response. All QuaverEd employees with access to sensitive data undergo criminal background checks, attend annual data security training, and sign confidentiality agreements.
Any questions regarding QuaverEd’s data security practices can be directed to privacydirector@QuaverEd.com.
Definitions
For the purposes of this Privacy Policy, the following terms are defined:
- Data Owner: An individual that has direct ownership claims over the data in question, or an individual that is an authorized representative of an organization that has ownership claims over the data in question. For instance, with student data the Data Owner might be the student themselves, the student’s parents, or a district IT administrator that is authorized to manage the district’s student data.
- Derivative Data: Information that is related to a user, but is created and exists within the QuaverEd program. For instance, student assessment data from assessments taken in the QuaverEd platform would be Derivative Data.
- Digital User Metadata: Information that is related to a user, and specifically a digital user or user account, but does not uniquely identify any real individual nor have permanent association to any real individual. For instance, Digital User Metadata might be a user’s browser information. While this data is related to a digital QuaverEd user, it does not uniquely identify any real individual, as many individuals might utilize the same browser version, nor is it permanently associated to any real individual, as any individual can use any browser at any time.
- Personally Identifiable Information (PII): [From FERPA] Information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. At times this policy may distinguish between student PII and other user PII.
- User Data: A term that encompasses user PII, Digital User Metadata, and Derivative Data.
Types of Data Collected and Purpose
QuaverEd collects User Data only for educational purposes to fulfill our contractual obligations and provide services to our customers, acting as a School Official with a legitimate educational interest as defined in FERPA. QuaverEd does not collect, use, maintain, or share any personal information beyond that needed for authorized educational purposes.
All User Data is collected, used, and maintained securely and in compliance with all state and federal statutes, as will be described in further detail below. A complete, up-to-date listing of the data elements that QuaverEd collects and how each element is used can be found on our data collection notice.
Adult PII (Teachers, Counselors, Administrators, etc.)
QuaverEd collects a limited amount of PII from our adult educational users, including but not limited to teachers, school counselors, principals, and district administrators. For these users, we require name and email address. This identifying information is critical for the creation, protection, and maintenance of a QuaverEd licensed user account.
Student PII
QuaverEd does not require that any student PII be entered into our platform. QuaverEd offers the option of creating student accounts, but student accounts are not required. If an educational entity wants to utilize QuaverEd’s student account functionality, the educational entity may choose what student PII to share with the QuaverEd platform in order to do so. Student accounts may be created utilizing anonymous credentials. Student names, emails, and other PII are not required.
To make student account management more effective and intuitive, student PII may be shared with QuaverEd. Student names, emails, IDs, and more can be shared with QuaverEd to make it easier for students to log in and for teachers to identify students within the program.
Digital User Metadata
QuaverEd also collects Digital User Metadata such as IP, device, and browser information. This information is only used internally to allow us to better serve our users. For instance, we monitor the devices and browser versions used to access QuaverEd so that we can ensure that our platform continues to run smoothly on those devices and browser versions.
Derivative Data
QuaverEd collects Derivative Data, such as usage data, access data, assessment data, and more. This data is used for various educational purposes. Usage and access data is reported to educational organization leadership (school supervisors and district administrators) to provide insight into how their users are utilizing QuaverEd. QuaverEd also monitors usage and access data to determine how our program is being used and what new features might need to be developed to better support the educational purposes of educational organizations. Assessment data allows teachers to measure, track, and report student progress from within the QuaverEd platform.
Data Collection Protocols
QuaverEd has various methods for collecting User Data. Data may be collected directly from users or shared by administrative entities such as school or district IT departments.
Collecting Data From Users
In compliance with COPPA, QuaverEd never collects PII directly from any user under the age of 13 without the explicit consent of an authorizing adult such as the teacher, district representative, or guardian. Any data entry forms on QuaverEd, including but not limited to account sign up forms, contact forms, and more, require that users certify that they are over the age of 13 before entering any PII, or they require explicit authorization from an authorizing adult to collect such information from the student user. QuaverEd does not request PII directly from users under the age of 13 without the authorization of an authorizing adult through any methods, including but not limited to email, phone, or in-site forms.
Adult users, including but not limited to teachers, counselors, administrators, and parents, may be asked to share PII with QuaverEd to support critical account functionality or powerful educational features. For instance, a QuaverEd teacher may be asked to enter their teacher email address as this is critical for the creation, protection, and maintenance of a QuaverEd licensed teacher account. Teachers may also choose to enter student PII into QuaverEd in order to utilize powerful educational tools, such as assessments and gradebook functionality. Teachers must only enter student PII into QuaverEd if they or their parent educational organization have already obtained proper consent from the students’ parents.
All User Data is collected over secure channels. Data collected within QuaverEd’s program is always transferred securely using HTTPS and TLS protocols. If a user needs to deliver sensitive data to QuaverEd outside of the program itself, an sFTP transfer will be utilized. This ensures that all User Data collected is securely transferred and encrypted in motion.
Collecting Data From Administrative Entities (School or District IT)
Following educational industry trends and best practices, much of the User Data that QuaverEd collects is shared by a higher administration entity of an educational organization, rather than by an individual user. QuaverEd receives User Data from schools and districts utilizing secure exchange protocols agreed upon by both parties. These secure exchange methods include but are not limited to sFTP transfers and API exchange using HTTPS and TLS protocols.
All data exchanges of this nature are set up with the administrative entity’s approval and participation in an effort to provide a better service to their users. QuaverEd collects the data needed to support only the educational purposes of our users, acting as a School Official with a legitimate educational interest as defined in FERPA. Administrative entities, including but not limited to school and district IT teams, must obtain proper consent from their students’ parents or guardians before sharing student data with QuaverEd.
Data Storage and Protection
QuaverEd takes significant measures to protect all User Data in our possession. We follow industry best practices and comply with all state and federal statutes and contractual obligations.
All student PII is stored encrypted in place at all times utilizing at least 256 bit encryption protocols. All User Data is stored in access-restricted systems within the United States. Only authorized QuaverEd employees can access sensitive data, and only to serve the needs of our users. All QuaverEd employees with access to any User Data undergo criminal background checks, attend annual data security training, and sign confidentiality agreements. QuaverEd does not disclose User Data to any third parties.
Data Utilization
We advertise through various digital platforms and temporarily capture metadata. To read more about our cookie policy click here. We will never sell this data and use it only for advertising and marketing purposes. If you wish to opt out, make a data subject request through each social media platform. Also, we do not target individuals under 18.
QuaverEd does not disclose any user profile data to third parties.
Specific User Data elements are utilized for differing purposes. For instance, a student’s name might be utilized to populate a teacher’s class roster in QuaverEd and allow the teacher to identify the student within the program. A teacher’s email address might be used for critical account communications. A complete, up-to-date listing of the data elements that QuaverEd collects and how each element is used can be found on our data collection notice.
Disclosure
QuaverEd does not disclose User Data to any third parties without the express, written consent of the Data Owner. QuaverEd never sells student data for any reason. QuaverEd only transfers User Data to verified, authorized recipients using secure transfer protocols that encrypt the data in motion. We have internal rules and procedures in place for determining authorized recipients and verifying their identity. We do not share User Data, even de-identified, with any third parties.
QuaverEd sometimes employs subcontractors to fulfill our duties to our customers. Any subcontractors employed by QuaverEd who are given any access to User Data are held to QuaverEd’s strict protocols and standards regarding the handling and protection of that data.
QuaverEd is a digital platform with a sophisticated web architecture. While all systems are designed and managed by QuaverEd, our web hosting infrastructure is provided by Amazon Web Services (AWS). QuaverEd does not explicitly disclose any sensitive data to AWS, but the data in QuaverEd’s possession is stored on AWS systems within the United States. AWS is one of the largest web hosting providers in the world, with robust security procedures in place. AWS meets or exceeds QuaverEd’s strict protocols for data security and complies with all federal and state statutes, including FERPA.
Data Retention
QuaverEd retains User Data as long as it is useful to provide services to the Data Owner. As long as the Data Owner’s data is being utilized to support features being used by that Data Owner, QuaverEd will continue to collect and store the data. When the data is no longer in use, QuaverEd will de-identify any User Data so that it can no longer be associated to any real individual. QuaverEd will retain the de-identified User Data solely for internal research and product development purposes.
The Data Owner may request that QuaverEd de-identify or securely destroy their User Data in our possession at any time. If a Data Owner requests that QuaverEd de-identify or securely destroy their data, QuaverEd will obtain verified authorization from the Data Owner before completing the requested action. Once authorization is obtained, QuaverEd will de-identify or securely destroy the data specified and will provide certification to the Data Owner that the action has been completed.
Data authorized for destruction will be securely destroyed following industry best practices, such as NIST SP 800-88. Depending on the data storage format, the destruction method will vary. The data destroyed will not be recoverable within the normal course of business.
Users in California
Users who are California residents have certain rights under the California Consumer Privacy Act (“CCPA”). If you are an eligible California user, included in these rights are:
- “Right to Know” — You have the right to request to know more about the categories and specific pieces of personal information that we have collected about you and to access a copy of your personal information.
- “Right to Delete” — You have the right to request deletion of personal information that we have collected about you.
- “Right to Non-Discrimination” — If you choose to exercise any of your rights under CCPA, QuaverEd will treat you like all other users. In other words, there is no penalty for exercising your rights under CCPA.
- “Right to Opt-Out” — You have the right to opt out of the sale of your personal information, but QuaverEd does not sell customer information.
To exercise any of these rights under CCPA, please email privacydirector@quavered.com or write to us at QuaverEd, 65 Music Square West, Nashville, TN 37203. CCPA allows you to designate an authorized agent to make these requests on your behalf. For your protection, we may require that the request be sent through the email address associated with your account, and we may need to verify you.
Users in the European Union
QuaverEd (“we,” “our,” “us,” “the Company”) takes its obligations under General Data Protection Regulation (GDPR) and applicable data privacy law seriously. We process Personal Data of our clients, employees, workers, and other third parties.
We recognize that the correct and lawful treatment of Personal Data will maintain confidence in the organization and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times.
We adhere to the principles relating to Processing of Personal Data set out in the GDPR, which require Personal Data to be
- Processed lawfully, fairly, and in a transparent manner (Lawfulness, Fairness, and Transparency).
- Collected only for specified, explicit, and legitimate purposes (Purpose Limitation).
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimization).
- Accurate and, where necessary, kept up to date (Accuracy).
- Not kept in a form that permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
- Processed in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful Processing and against accidental loss, destruction, or damage (Security, Integrity, and Confidentiality).
- Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
- Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).
Security Incident Response
QuaverEd has a robust Security Incident Response Plan in place to respond to any data security incidents quickly and effectively. The plan is divided into five key phases:
- Prevent or Mitigate Breach – As soon as QuaverEd becomes aware of any potential issue that could result in the unauthorized disclosure of sensitive data, our response team, will immediately take any actions possible to prevent or mitigate the disclosure.
- Assess Impact – QuaverEd will then assess the Security Incident and determine if there was a confirmed Security Breach, defined as a confirmed unauthorized disclosure of sensitive data. If there was a Security Breach, we will assess what data was disclosed and to whom.
- Notify – In the case of a Security Breach, affected users and Data Owners will be notified of the details of the disclosure.
- Remediate – QuaverEd will work to address any security vulnerabilities illuminated by the incident in order to prevent future incidents. We will also assess our own response execution and make improvements to our Security Incident Response Plan where possible.
- Report – QuaverEd will write a retrospective report including the full details of the incident and our response. This report may be made available to customers upon request, with the understanding that certain security details may need to be redacted to protect QuaverEd’s security infrastructure and the data still in QuaverEd’s possession.
A full version of QuaverEd’s Security Incident Response Plan may be shared with customers upon request.
In the event of an suspected security breach or unethical behavior, any customer or member of the public may contact QuaverEd support at info@quavered.com or (866) 917-3633 to report the incident.
Data Access and Correction
Data Owners can contact QuaverEd with inquiries regarding their User Data. QuaverEd will provide data requested to verified authorized recipients. If any User Data is found to be inaccurate or requires corrections, QuaverEd will update the data as needed to ensure it is accurate. All data inquiries can be directed to QuaverEd’s support team at privacydirector@quavered.com. In accordance with certain statutes and contractual requirements, QuaverEd may direct students and parents of students to request data access or adjustments through their educational organization.
Successor Entities
If QuaverEd is ever sold or merged with another business entity, the new parent business entity will agree to adhere to the same data security standards as QuaverEd before any user data in QuaverEd’s possession is shared with the new business entity. If the new business entity does not agree to uphold the same or stricter data security standards as QuaverEd, then all existing QuaverEd users will be notified of the impending business change and be allowed to choose whether they want their User Data shared with the new business entity or destroyed.
User Responsibility
QuaverEd agrees to follow industry best practices and comply with all legislation regarding the handling and protection of User Data. We have significant security protocols in place to ensure User Data is protected during collection, storage, and transit. QuaverEd does not accept responsibility for unauthorized disclosure of User Data that occurs as a direct result of customer or user negligence. Users should utilize strong passwords and access QuaverEd utilizing secure networks. Users should never share their access credentials or personal data with any unauthorized parties or over any insecure channels.
Policy Consent
Any individual over the age of 18 years old who establishes a QuaverEd account or purchases a QuaverEd license authorizes QuaverEd to collect and utilize their User Data. QuaverEd is authorized to collect and utilize User Data for users under the age of 18 (students) when a parent, guardian, or educator of such student (a) establishes a QuaverEd account for the student user; (b) instructs the student user to establish a QuaverEd account; or (c) directs the student user to complete educational tasks (assignments, activities, and the like) utilizing the QuaverEd platform. QuaverEd is also authorized to collect and utilize User Data for any users created as a result of bulk User Data exchange from an educational organization administrative entity.
Policy Updates
This Privacy Policy may be updated periodically to reflect new data security protocols and address compliance with new data security legislation. Immaterial updates, such as basic contact information updates, may be made at any time without user notice. If and when any material updates to this policy are made, users will be provided with notice and the opportunity to provide new consent.