Purpose. Dr. Marion’s Learning Lab (“DMLL”) takes the protection of our customers’ data and information, particularly student data, very seriously. The purpose of this Data Handling and Privacy Statement is to inform our customers about our current data security policies and practices, which are intended to safeguard this sensitive information. DMLL handles customer data in a manner consistent with applicable laws and regulations, including, without limitation, the Federal Family Educational Rights and Privacy Act (FERPA), the California Student Online Personal Information Protection Act (SOPIPA), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act, and other state student data privacy protection laws.

Scope. This policy covers the collection, use, and storage of data that is obtained through the use of the products and related services accessible through the use of DMLL’s proprietary Comprendi® platform. DMLL’s products and services are collectively referred to in this policy as “Comprendi.”

Student Data Obtained and Collected.

DMLL receives certain information, which we receive pursuant to the school official exception under FERPA, from its school district customers to enable students to use Comprendi. The following information is generally provided to DMLL for each student user of Comprendi:

• student first and last name;
• date of birth;
• gender;
• ethnicity or race;
• student identification number;
• student school or class enrollment;
• student grade level;
• teacher name;
• English language learner status, and;
• eligibility for free- or reduced-price lunch.

Note that some of these data fields (such as ethnicity or race, ELL status, eligibility for free or reduced-price lunch) are not required for the use of Comprendi. However, where districts would like reporting capabilities based on these categories, they may choose to provide this information to DMLL.

Data We Do Not Collect.

DMLL never obtains or collects the following categories of information through the use of Comprendi:

• user biometric or health data;
• user geolocation data;
• student email addresses or social media profile information; or
• student mailing addresses or phone numbers, or other such “directory” information.

Usage Data.

When students use Comprendi, certain assessment results and usage metrics are also created. These results and usage metrics are used by DMLL as described below. While teachers and school administrators are able to access student information and related Comprendi usage data, this information is not made available to other students or the public.

How We Use Student Data.

DMLL only uses student data for education-related purposes and to improve teaching and learning, as described in more detail here. We receive this data under the “school official” exception under FERPA:

• For Services. DMLL only uses student-identifiable data provided by schools and/or school districts to make Comprendi available to that particular student, and to provide related reports and services to that student’s school and school district and its educators and administrators. DMLL uses student data collected from the use of Comprendi for the purpose of making Comprendi available to its customers and for improving its content and effectiveness.
• For Reporting. DMLL provides reporting capabilities to its educator customers, and these reports are generated based on Comprendi usage information.
• For Account Support. Customers’ usage data may also be used on an aggregated basis to allow DMLL’s partners cuccess, customer service and tech support teams to provide services that meet the specific needs of our educator customers.
• Treatment as PII. DMLL treats all student-identifiable data, and any combination of that data, as personally-identifiable information, and that data is stored securely as described more fully below.
• No Solicitation of Students. DMLL receives education records from our school district customers to enable students and teachers to use Comprendi. DMLL does not solicit personally identifiable information directly from students—all student information is provided by school district customers or created through the use of the Comprendi platform. Because Comprendi is only used in the context of school-directed learning, schools are not required to obtain parental consent under COPPA to provide us with this data, although many customers choose to do so to comply with state or local requirements.
• No Ownership. DMLL does not obtain any ownership interest in student-identifiable data.

How We Use De-Identified Data.

DMLL collects and uses “de-identified student data”, which refers to data generated from usage of Comprendi from which all personally identifiable information has been removed or obscured so that it does not identify individual students and there is no reasonable basis to believe that the information can be used to identify individual students.

• DMLL uses this aggregated, de-identified student data for core product functionality to make Comprendi a more effective, adaptive product.
• DMLL uses de-identified data to provide services to our educator customers. We sometimes use third party software tools (such as Salesforce or Domo) to enhance the level of service we provide. However, we only use de-identified data with these tools.
• DMLL also uses de-identified student and educator data for research and development purposes. This might include research analyzing the efficacy of Comprendi or development efforts related to our product and service offerings. We also conduct research using de-identified data for studies focused on improving educational systems and student outcomes more generally.
• DMLL does share de-identified student data with trusted third-party research partners as part of these research initiatives.
• DMLL does not attempt to re-identify de-identified student data and takes reasonable measures to protect against the re-identification of its de-identified student data.
• Our research partners are prohibited from attempting to re-identify de-identified student or
  educator data.
• DMLL does not sell student identifiable data or aggregated de-identified student or educator data to third parties.

No Targeted Advertisements or Marketing.

• DMLL does not include advertisements or marketing messages within Comprendi nor does it use student data for targeted advertising or marketing.
• No student data collected in connection with Comprendi usage is shared with third parties for any advertising, marketing, or tracking purposes.

No User Interactions.

• There are no social interactions between users in Comprendi, and a given user’s account is not accessible to other student users or third parties. Thus there is no opportunity for cyberbullying within Comprendi.
• There is no ability for users to upload user content created outside of Comprendi. Other than responses to questions or instructional prompts, students cannot create content within Comprendi
• Comprendi user information does not involve the creation of a profile, and cannot be shared for social purposes.

Student Privacy Pledge. To further demonstrate its commitment to protecting the privacy of student information, DMLL has taken the Student Privacy Pledge https://studentprivacypledge.org. This means that, among other things, DMLL has pledged not to sell student information, not to engage in behaviorally targeted advertising, and to use collected data for authorized purposes only. DMLL only uses collected student data for the purposes described in the “How We Use Student Data” paragraph.

How We Use Educator Data.

DMLL also collects the following information about educators that use the Comprendi platform: name, school or district affiliation, grade level teaching, IP address, and email address. DMLL uses this information for account registration and maintenance purposes. DMLL also records when educator account logins are created, and when educators log in and out of the Comprendi platform. DMLL utilizes a third-party service provider to host professional-development content for educators in a learning-management system (LMS). For any educator who utilizes that content, DMLL and/or the educator will provide certain Comprendi account information to its third-party service provider, and this information will be used to communicate with educators and district-level administrators more effectively about their specific implementation, and to better understand how educators use the Comprendi and LMS platforms. We may also use de-identified educator data to improve our product and service offerings, as described in the “How We Use De-Identified Data” section above.

Data Storage Location.

• Comprendi is a cloud-based application.
• Our servers are located in Tier 1 data centers located in the United States.
• We do not store any student data outside of the US.

Network-Level Security Measures.

• DMLL’s Comprendi systems and servers are hosted in a cloud environment.
• Our hosting provider implements network-level security measures in accordance with industry standards.
• Dr. Marion’s Learning Lab manages its own controls of the network environment.

Server-Level Security Measures.

• Access to production servers is limited to a small, identified group of operations engineers who are trained specifically for those responsibilities.
• The servers are configured to conduct daily updates for any security patches that are released and applicable.
• The servers have anti-virus protection, intrusion detection, configuration control, monitoring/alerting, and automated backups.
• Dr. Marion’s Learning Lab conducts regular vulnerability testing.

Computer/Laptop/Device Security Measures. Dr. Marion’s Learning Lab employs a full IT staff that manages and secures its corporate and employee IT systems. Laptops are encrypted and centrally managed with respect to configuration updates and anti-virus protection. Access to all DMLL computers and laptops is password-controlled. DMLL sets up teacher and administrator accounts for Comprendi so that they are also password-controlled. We support customers that use single sign on (SSO) technology for accessing Comprendi.

Encryption.

• Comprendi is only accessible via https and all public network traffic is encrypted with the latest encryption standards.
• Encryption of data at rest is implemented for all data stored in the Comprendi system.

Employee and Contractor Policies and Procedures. DMLL limits access to student- identifiable data and customer data to those employees who need to have such access in order to allow DMLL to provide quality products and services to its customers. DMLL requires all employees who have access to DMLL servers and systems to sign confidentiality agreements. DMLL requires its employees and contractors who have access to student data to participate in annual training sessions on IT security policies and best practices. Any employee who ceases working at DMLL is reminded of his or her confidentiality obligations at the time of departure, and network access is terminated at that time.

Third-Party Audits and Monitoring. In addition to internal monitoring and vulnerability assessments, Dr. Marion’s Learning Lab contracts with a third party to conduct annual security audits, which includes penetration testing of the Comprendi application. Dr. Marion’s Learning Lab reviews the third-party audit findings and implements recommended security program changes and enhancements where practical and appropriate.

Data Retention and Destruction. Student and teacher personal data are used only in the production systems and only for the explicitly identified functions of the Comprendi application. Student and teacher personal data is de-identified before any testing or research activities may be conducted. Upon the written request of a customer, Dr. Marion’s Learning Lab will remove all personally identifiable student and educator data from its production systems when DMLL will no longer be providing access to Comprendi to that customer. In addition, DMLL reserves the right, in its sole discretion, to remove a particular customer’s student data from its production servers a reasonable period of time after its relationship with the customer has ended, as demonstrated by the end of contract term or a significant period of inactivity in all customer accounts. Student data is removed from backups in accordance with DMLL’s data retention practices. If DMLL is required to restore any materials from its backups, it will purge all student-identifiable data not currently in use in the production systems from the restored backups.

Correction and Removal of Student Data.

• Parents of students, guardians, or eligible students who use Comprendi may request correction or removal of the student’s personally identifiable data from Comprendi by contacting their student’s teacher or school administrator. The teacher or school administrator can then verify the identity of the requesting party and notify DMLL of the request.
• DMLL will promptly comply with valid requests for correction or removal of student data; however, removal of student personally identifiable data will limit that student’s ability to use Comprendi.

Breach Notification.
DMLL follows documented “Security Incident Management Procedures” when investigating any potential security incident. In the event of a data security breach, DMLL will notify impacted customers as promptly as possible that a breach has occurred, and will inform them (to the extent known) what data has been compromised. DMLL expects customers to notify individual teachers and parents of any such breach to the extent required, but will provide customers reasonably requested assistance with such notifications and will also reimburse customers for the reasonable costs associated with legally required breach notices.

Data Collection and Handling Practices for Educator Resources.
Dr. Marion’s Learning Lab offers a set of digital resources intended for use by educators, including Teacher Toolbox, Success Central, and the Resource Library (collectively and individually, the “Educator Resource Materials”). They are not student-facing materials, and therefore no student data are collected through the use of the Educator Resource Material. DMLL collects the following information about educators who use the Educator Resource Materials: name, school or district affiliation, grade level teaching, and email address. DMLL uses this information for account registration and maintenance purposes. DMLL also records when educator account logins are created, and when educators log in and out of the Educator Resource Materials. When a teacher uses the Educator Resource Materials, our systems record which resources have been accessed by whom and the frequency of access. We use this information for product development purposes, to ensure that we are providing educators with resources that are useful to them. Our Partner Success, customer service and tech support teams also use this information to provide more specifically tailored support to our educator customers. Upon request, we may also provide this information to school or district level administrators to help them better understand how our Educator Resource Materials are used by educators in their school or district. We also use this information to communicate with educators more effectively about their specific implementation. We do not sell this information or otherwise share it with any third parties, nor do we serve advertisements to educators based on this usage data. We do not use this data to create a profile about any of the educators who use our products to provide to anyone outside of DMLL. We simply use these collected data for internal purposes to make our product and service offerings better.

Opt-In Google Classroom Assignment Feature for Educator Resource Materials.
For districts that use Google Classroom, Dr. Marion’s Learning Lab offers educators the ability to easily assign certain student-facing content, including certain Educator Resource Materials, to their students through Google Classroom. If an educator elects to utilize this feature, Google Classroom will provide Dr. Marion’s Learning Lab with the educator’s name and email address, as well as the roster information and coursework data for that educator’s classroom. In addition, if permission is granted by the educator, Google will allow Dr. Marion’s Learning Lab to access the educator’s Google Classroom environment and to directly upload the Educator Resource Materials content into Google Classroom through Google Drive. Use of Google Classroom is subject to Google Classroom’s terms of service and privacy policy.

Policy Review.
Dr. Marion’s Learning Lab reviews this privacy policy on an annual basis and makes updates from time to time to reflect changes in legal requirements and to provide more clarity to our customers on our practices. If you have any questions about our data-handling practices or this privacy policy, you may contact us at info@dmlearning.com.