Security Statement

User Data Collection and Usage

‍

What Personal Information We Collect

We collect the categories of Personal Information as specified in our Privacy Policy. We design our Services and Platform to gather data and integrate security and privacy into our systems to protect data, prevent unauthorized access and ensure compliance and industry standards.

‍

How User Data is Stored

• All Personal Information is encrypted using AES-256 encryption at rest

• Data in transit is protected with TLS 1.2 encryption

• Information is stored in Microsoft Azure cloud infrastructure with education-specific compliance certifications

• Access is controlled through multi-factor authentication and role-based permissions

‍

Data Retention Periods

• Education Institutions maintain complete control over retention periods

• Default retention period is set per Education Institution requirements

• After the default retention period is over, we encrypt sensitive data such that it is unreadable

• Complete deletion capabilities are available to Education Institutions at any time

‍

How User Data is Used

• For providing educational services as specified in our agreements with Education Institutions and for purposes specified in our Privacy Policy

• To facilitate personalized learning experiences

• For administrative functions requested by the Education Institution

• For Platform improvement (using aggregated, de-identified, anonymized data only)

• Personal Information is not used for advertising or marketing

‍

Third-Party Data Sharing

• Personal Information is not sold to third parties other than in relation to a sale of our business or assets as set forth in our Privacy Policy

• CheckIT Learning adheres to data minimization practices, and does not disclose sensitive Personal Information to third parties. 

‍

‍User Control Over Data

• Access and Review: Teachers, parents, students (where applicable) and Education Institution school administrators have the right to access and review Personal Information stored on the Platform.
• User Permissions: School administrators are authorized to create, edit and remove user accounts. In addition, they can assign, modify and revoke user permissions across teacher and student user levels. School administrators are responsible for configuring security setting and managing overall access policies. If permitted by school administrators, teachers may have limited access to edit optional information for student user accounts.
• Correction and Updates: Teachers, students and parents can update certain Personal Information (e.g. preferred name, interests and hobbies, ethnicity and social media handles) in their account settings, and they can request corrections or updates to other types of Personal Information through the school administrators.
• Data Deletion: Education Institutions manage deletion requests, ensuring data is removed in compliance with FERPA, GDPR, and other relevant regulations.
• Consent Management: Education Institutions oversee consent collection and can modify or revoke permissions as needed.
• Data portability options for Education Institution transfers

‍

Regulatory Framework Implementation

We prioritize compliance and strive to  achieve compliance with applicable laws.

‍

FERPA Implementation

• User records are accessible only to authorized educational personnel

• Comprehensive access controls with Education Institution oversight

• Audit and monitoring mechanisms implemented to ensure that Personal Information is handled according to CheckIT Learning’s policies and procedures.
• Education Institution-controlled data management and disclosure processes, including notice, consent and opt-out

• Mechanisms for handling parental rights requests

‍

COPPA Implementation

• Education Institution consent management for under-13 users

• Educational-purpose data collection restrictions

• Transparent policies for Education Institution administrators and parents

• Third-party integration controls is enabled in alignment with the Education Institutions and is diligently reviewed and approved prior to activation.

‍

GDPR Implementation

• Complete data encryption throughout the Platform

• Streamlined processes for exercising privacy rights

• Educational-only data usage policies

• Dedicated privacy officer oversight

‍

CIPA Implementation

• Advanced content filtering technology

• Proactive content moderation systems

• Administrative controls for external resources

‍

Technical Security Architecture

Our Platform implements a security program that runs on Secure Software Development Lifecycle (Secure SDLC) standards. Our Platform employs enterprise-grade security measures:

‍

System Security

• TLS 1.2 encryption for all data in transit

• AES-256 encryption for stored information

• We use Azure Cloud infrastructure which is ISO 27001-certified with other education-specific compliance certifications

• Granular permission systems for information access where access is role-based, audited, and tightly scoped.
• Our company and employee devices are secure, encrypted, tracked, and have mandatory multifactor authentication applied.
• Employees receive training on data protection, security, and confidentiality

‍

AI and Analytics

• CheckIT Learning does not use Education Institution data to train AI systems without permission

• Transparent AI operations with limited data requirements

• No advertising or marketing applications on the Platform

• We apply human-in-the-loop approach, AI supports decisions but never replaces educators. Teachers maintain full control and make final decisions. We provide reminders and notifications for the content that is AI generated.
• We have a rigorous AI governance program with security and privacy safeguards built in process from the design phase through the implementation, verification and validation of our products and services.

‍

Transparency Commitment

We maintain open communication about our data practices through:

• Accessible documentation for all stakeholders

• Available compliance certifications

• Dedicated privacy specialists for Education Institutions

• Regular updates on security enhancements

‍

Monitoring and Incident Response

‍

Proactive Protection

• Continuous security monitoring

• Regular vulnerability assessments and penetration testing

• Independent security audits are conducted to validate adherence to relevant frameworks.

• We have a reporting process to track to review and track our compliance performance.

We implement a robust risk management program designed to identify, evaluate, mitigate, and monitor security and privacy related risks in real time.  

‍

Incident Response Plan

Should a security event occur; our structured response includes:

1. Immediate Containment: We isolate affected systems and implement measures to prevent further unauthorized access

2. Thorough Investigation: We conduct a comprehensive analysis to determine the nature and scope of the incident

3. Notification Process: We promptly inform affected institutions, individuals, and authorities as required by applicable laws

4. Remediation and Prevention: We implement corrective actions and enhance security measures to prevent similar incidents.

‍

Endnote

CheckIT Learning combines educational innovation with unwavering commitment to user privacy. Our comprehensive approach to data protection and regulatory compliance ensures that Education Institutions can implement our Services with confidence.

‍

We welcome detailed discussions with Education Institutions about our security practices and compliance documentation.