Summary: The purpose of this document is to present the means and methods by which CypherWorx, Inc. will comply with the requirements of New York State Education Law, Section 2-D, with regard to security and privacy of personally identifiable information.
Specific topics addressed include:
- The nature of the services provided by CypherWorx to educational agencies contracting with us.
- The extent and types of personally identifiable information collected by CypherWorx in the process of providing those services.
- The technical measures employed to secure user data and ensure users’ privacy.
- The physical measures employed to secure user data and ensure users’ privacy.
- The internal measures employed to ensure the confidentiality of user data, including:
- Personnel policy that limits access to data to only those individuals who require it for the performance of their work duties
- Training for all personnel with regard to user data security.
- Procedures to be followed in the event of a data breach or an accidental, improper, or unauthorized disclosure of data.
- The designated Data Protection Officers responsible for the execution of and enforcement of this plan
The following definitions will apply throughout this document:
- We/us/our shall be understood to refer to CypherWorx, Inc.
- Client shall be understood to refer to the school, board of cooperative educational services, or other educational agency (as defined under Section 2-D) entering into a contract with CypherWorx.
- Learner shall be understood to refer to any individual making use of the services offered by CypherWorx under the provisions of a contract with a client.
- Personally Identifiable Information (or PII) shall be understood to include that which is defined as student, teacher, or principal PII under Section 2-D, as well as data of a similar nature associated with other learners such as client staff, alumni, or parents of client students.
- Client contract shall be understood to refer to the contract between CypherWorx and a client.
2. Nature of Services Provided
- As a third-party contractor (as defined under Section 2-D), CypherWorx will make a broad selection of e-learning courses available for the use of learners associated with the client.
- These courses represent additional learning opportunities for learners and are not intended to be part of any client curriculum.
- These e-learning courses will be delivered via one of two methods, as specified in the client contract:
- Learners will log into CollaborNation, the Learning Management System (LMS) developed and maintained by CypherWorx.
- Learners will log into an LMS provided by the client. E-learning courses will be made available to that LMS from a CypherWorx-controlled server.
- Learners associated with a client fall into three categories: Students and alumni, parents, and faculty and staff.
- Subject to the specific provisions of the client contract, the client can make these services available to learners of their choosing from among these three groups.
3. Extent of Data Collected
- The personally identifiable information (PII) collected by CypherWorx is limited to what is necessary to deliver the services being provided.
- For learners logging into CollaborNation, we collect:
- Learner’s first and last name.
- Learner’s email address (which serves as their User ID when logging into CollaborNation).
- For learners accessing our e-learning courses via a client-provided LMS, we collect:
- Learner’s name (if provided by the client’s LMS).
- Learner’s unique ID (as determined and provided by the client’s LMS). This may be an email address, a student ID number, or some other unique identifier used by the client’s system.
- For all learners, we collect data directly resulting from their interaction with our e-learning courses, including the following:
- Which e-learning courses the learner has chosen to engage with.
- The learner’s lesson status for each of those courses, which is one of the following values: Not Attempted, Incomplete/In Progress, Failed, Completed, or Passed.
- The calendar date and time upon which a learner:
- Selected (self-assigned) a given course.
- First opened a given course.
- Last interacted with a given course.
- Failed, completed, or passed a given course.
- Received a certificate (if applicable) for successful completion of a given course.
- The total elapsed time a learner has spent interacting with a given course.
- The elapsed time of a learner’s most recent interaction with a given course.
- The page or slide of a course a learner was on when they exited the course (“bookmarking”), to facilitate resuming the course where the learner left off, if applicable.
- The learner’s final score (if applicable) for a given course.
- We do not collect potentially sensitive PII such as physical address, age, date of birth, sex, gender, Social Security number, health- and/or disability-related information, or any form of payment information.
4. Data Security (Technical)
- CypherWorx contracts with Amazon Web Services (AWS) for the hosting of our application and database servers, and makes use of the robust security features and services provided by AWS. An overview of AWS Cloud Security is available here: https://aws.amazon.com/security/
- All PII is encrypted both at rest and in transit.
- The encryption methods employed meet or exceed the specifications of the Payment Card Industry Data Security Standard (PCI DSS).
- Application and database servers are protected from unauthorized access by firewalls and intrusion-detection systems.
- Routine security patches and software updates are applied regularly.
- High priority, urgent security patches are applied as quickly as possible.
- Security assessments are performed regularly.
5. Data Security (Physical)
- As noted in the preceding section, CypherWorx contracts with Amazon Web Services (AWS) for the hosting of our application and database servers, and responsibility for physical access security rests with AWS.
- The physical security measures of AWS data centers are summarized here:
6. Data Security (Internal Access Restrictions)
- Access to learner PII among CypherWorx personnel is limited to those whose job functions require it, following “least privilege” principles. In specific:
- Programming staff: The development and maintenance of the CollaborNation LMS and associated systems requires that programmers are able to:
- View and modify the structure and content of the databases in which learner PII is housed.
- Access learner accounts for purposes of identifying, recreating, and correcting errors in the software.
- Customer Support staff: In order to perform their duties, our Customer Support personnel require the ability to access learner accounts in the CollaborNation LMS so that they can:
- Provide technical assistance to learners who are having difficulties.
- Generate reports or transcripts of learners’ e-learning activity in compliance with the client contract, the requirements of Section 2-D, and/or the Parents’ Bill of Rights.
- CypherWorx personnel who do not have a valid need to access learner PII to fulfill their work duties shall not be permitted access.
7. Data Security and Confidentiality Training
- All CypherWorx personnel have received or will receive annual training with regard to the security and confidentiality of learner PII.
- This training will include:
- Permissible and prohibited uses of learner PII under Section 2-D.
- Which personnel should and should not have access to learner PII.
- Required security practices for personnel who do have access to learner PII.
- Actions to be taken by personnel in the event they become aware of:
- A breach of database or application server security.
- Unauthorized access to learner PII.
- Accidental or deliberate/malicious disclosure of learner PII.
- Use of PII in a manner or for a purpose prohibited by Section 2-D.
8. Security Breach Response
- In the event of any breach of the security or privacy of learner PII, CypherWorx will:
- Ascertain the nature of the breach.
- Take whatever actions are necessary to end the breach.
- Determine the extent of the breach, in terms of what learner PII may have been affected.
- Report the breach and its extent to the client, so that the client can then comply with the breach notification requirements of Section 2-D.
- Breaches of learner PII security or privacy include the following:
- Electronic breaches of database or application server security.
- Physical breaches of database or application server security.
- Accidental disclosure of learner PII.
- Deliberate/malicious disclosure of learner PII.
9. Data Protection Officers
- We have designated a team of two individuals to oversee adherence to the provisions of this plan. They are:
- Dan Quackenbush, Chief of Information Technology (firstname.lastname@example.org)
- Mike Maether, Chief Marketing Officer (email@example.com)