Privacy

International – Student Privacy Pledge, introduced by Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA)

ClassLink is a signatory to the Student Privacy Pledge and abides by the commitments therein as follows:

1. Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.
   
2. Not sell student personal information.
   
3. Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students.
   
4. Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student.
   
5. Not make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution/agency, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements.
   
6. Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student.
   
7. Collect, use, share, and retain student personal information only for purposes for which we were authorized by the educational institution/agency, teacher or the parent/student.
   
8. Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.
   
9. Support access to and correction of student personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements or directly when the information is collected directly from the student with student/parent consent.
   
10. Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
    
11. Require that our vendors with whom student personal information is shared in order to deliver the educational service, if any, are obligated to implement these same commitments for the given student personal information.
    
12. Allow a successor entity to maintain the student personal information, in the case of our merger or acquisition by another entity, provided the successor entity is subject to these same commitments for the previously collected student personal information.
    

Student Data Privacy Consortium (SDPC)

ClassLink is a member of the Student Data Privacy Consortium (SDPC).

The Student Data Privacy Consortium is:

• Designed to address the day-to-day, real-world multi-faceted issues that schools, states and vendors are facing each day in the protection of learner information.
  
• A Special Interest Group (SIG) of the Access 4 Learning (A4L) Community, which is a unique, non-profit collaboration, composed of schools, districts, local authorities, states, US and International Ministries of Education, software vendors and consultants who collectively address all aspects of learning information management and access to support learning.
  
• Leverages the work ongoing by various organizations already providing guidance to schools and states regarding student data privacy. Its main focus is on issues being faced by “on-the-ground” practitioners.
  

SOC 2 Type II Audit

A SOC 2 Type II audit provides evidence that a company has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

ClassLink has successfully completed a SOC 2 Type II audit which was performed by the licensed CPA firm KirkpatrickPrice.  The SOC 2 audit is based on the AICPA's Trust Services Criteria, and focuses on ClassLink's controls as they relate to security, availability, and confidentiality.  A successful SOC 2 audit assures our customers of their reliance on ClassLink's controls to protect their data.

Data Sovereignty

Nearly all countries have laws that protect personal data privacy. Some countries require that personal data be stored exclusively on servers located in-country. Further, some countries limit the transfer of personal data outside of their jurisdiction.

ClassLink software and systems are designed to comply with these various regulations as follows:

• ClassLink customers are always in control over the storage and transmission of their personal data.
  
• ClassLink software enables the customer to control when and how their data is shared with third party vendors.
  
• ClassLink customers have the option to host a dedicated ClassLink data server either within their internal data center or utilize a secure data center located within the jurisdiction.
  
• ClassLink software and system processes can only transmit personal data with the express instruction of the customer.
  

European Union – General Data Protection Regulation (GDPR)

GDPR is the newest body of regulation regarding the handling of personal data for citizens of the European Union (EU). The primary objective of the GDPR is to give citizens control of their personal data.  Select ClassLink products are compliant with the EU General Data Protection Regulation.

GDPR includes 11 chapters and nearly 100 articles. Below are some of the most relevant articles.

• Article 5 “Principles relating to processing of personal data”: ClassLink is a trusted steward of personal data. Data received from customers are to be used solely for purposes of providing educational services. Such data will not be sold or used for marketing purposes.
  
• Article 17 “Right to be forgotten”: Schools can choose to delete users from ClassLink at any time. Individual users can choose to delete any data they’ve added to ClassLink at any time. ClassLink promptly deletes data associated with schools no longer working with ClassLink.
  
• Article 32 “Security of processing”: ClassLink keeps all personal data confidential and secure. ClassLink team members are bound by contractual non-disclosure agreements. ClassLink’s data security protections include: internal data management policies and procedures, limitations on access to personal data, data encryption (for both data in transit and at rest), data systems monitoring, incident response plans, and safeguards to ensure personal data is not accessed by unauthorized persons when transmitted over communication networks.
  
• Article 33 “Notification of a personal data breach to the supervisory authority”: GDPR requires notice to the supervisory authority within 72 hours of awareness of a personal data breach. Discovery of a security breach that results in an unauthorized release of personal data: ClassLink shall promptly notify affected customers of such breach, shall conduct an investigation, and shall restore the integrity of its data systems as soon as possible. ClassLink will fully cooperate and assist with required notices to those individuals affected by such breach.
  
• Article 35: “Data protection impact assessment”: ClassLink conducts various security assessments of our systems. Certain security tests are conducted annually, others more frequently and some other tests are running constantly.
  
• Article 37: “Designation of a data protection officer”: ClassLink maintains a designated data protection officer who is authorized to engage security reviews and impact product development.
  
• Article 44: “General principle for transfers”: To promote data sovereignty/data residency in GDPR, the regulation authorizes the European Commission to decide if a third country or territory, where data may be transferred, meets adequate levels of protection. As GDPR is new, no third country or territory has yet been approved by the Commission. ClassLink customers are always in control over the storage and transmission of their personal data. Customers located in the EU or UK utilize a secure data center located within the EU zone (Frankfurt, Germany). No servers, outside of these options, are used to store data for EU or UK based customers.

European Union – Privacy Shield

In July, 2016, the Privacy Shield framework was designed by the U.S. Department of Commerce, the European Commission, and the Swiss Administration to help companies comply with data protection requirements of the EU and Switzerland.

ClassLink participates in the EU Privacy Shield. A list of participating organizations is available at www.privacyshield.gov/list.

On July 16, 2020, the Court of Justice of the European Union, invalidated the privacy shield as a substitute for compliance with the General Data Protection Regulation (GDPR). Privacy Shield continues to be in effect for Switzerland. A key factor contributing to the invalidation was the permissible transfer of personal data from the EU to the US under certain circumstances. ClassLink customers are always in control over the storage and transmission of their personal data. ClassLink software and system processes can only transmit personal data with the express instruction of the customer.

ClassLink continues to participate in Privacy Shield and adhere to its guiding principles for the benefit of our customers in Switzerland.

ClassLink conforms to the Privacy Shield Principles as follows:

• Notice: ClassLink publishes online privacy notices, including its participation in the Privacy Shield, its practices on collecting, using, and sharing personal data with third parties, its privacy practices, and choices available to individuals regarding limiting data collection and use.
  
• Choice: ClassLink will not share the customer’s data with third party vendors. ClassLink customers are always in control over the storage and transmission of their personal data.
  
• Accountability for Onward Transfer: ClassLink software enables the customer to control when and how their data is shared with third party vendors.
  
• Security: ClassLink takes all reasonable and appropriate measures to protect the data owned by the customers that it serves from loss, misuse, and unauthorized access.
  
• Data Integrity and Purpose Limitation: ClassLink takes all reasonable and appropriate measures to limit processing to the purposes for which data has been collected, and to ensure that personal data is reliable for its intended use, accurate, complete, and current.
  
• Access: ClassLink customers are always in control of their data, and can correct, amend, or delete information that is inaccurate.
  
• Recourse, Enforcement and Liability: ClassLink protects against the unauthorized access of personal data through a variety of measures, including those enumerated within the EU standard contractual clauses related to data protection.
  

ClassLink provides contact information on its website for inquiries or complaints regarding compliance with the Privacy Shield. The ClassLink contact web page is classlink.com/contact.

ClassLink participates in the Independent Recourse Mechanism (IRM) provided by the European Union Dispute Resolution Procedures (EU DPAs) for Privacy Shield dispute resolution.

ClassLink is subject to the investigatory and enforcement powers of the Federal Trade Commission or the appropriate statutory body that will ensure compliance with the Privacy Shield Principles.

ClassLink recognizes the possibility for an individual to invoke binding arbitration pursuant to the Privacy Shield.

United States – Section 508 & ADA Compliance

Web Content Accessibility Guidelines
ClassLink complies with the web content accessibility guidelines of WCAG 2.1 Level AA as accepted by Section 508 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act (ADA).

StateRAMP

ClassLink is a member of StateRAMP, which represents the shared interests of state and local governments, third-party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. ClassLink and StateRAMP believe in the values of transparency, standardization, and community. As a StateRAMP member, we are committed to making the digital landscape a safer, more secure place.

StateRAMP is based on NIST Special Publication 800-53 Rev. 4 and is modeled after FedRAMP. It implements a "complete once, use many" approach to save time and reduce costs for service providers and governments. It also relies on FedRAMP Authorized Third-Party Assessment Organizations (3PAOs) for assessments.

United States – Cloud Security Alliance (CSA) Star Recipient

ClassLink is proud to hold the Cloud Security Alliance (CSA) STAR. CSA enables solution providers to validate their cloud security and offer proof to current and future customers of the controls in place. The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC27001 protocol and expire after three years unless updated.

United States – Children’s Internet Protection Act (CIPA)

‍The Children’s Internet Protection Act (CIPA) requires schools and libraries receiving certain e-Rate benefits from the Federal Communications Commission (FCC) to adhere to policies that provide safe internet experiences for minors. These include policies related to:

• Preventing access by minors to inappropriate matter on the Internet;
  
• The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
  
• Unauthorized access, including so-called “hacking,” and other unlawful activities by minors online;
  
• Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
  
• Measures restricting minors’ access to materials harmful to them.
  

Although ClassLink does not itself prevent access to inappropriate websites, that burden belongs to the school or library, ClassLink can help create an intentional internet experience for young students by enabling instant access to positive online resources from any device.

United States – Children’s Online Privacy Protection Act (COPPA)

ClassLink is compliant with the regulations put forth by the Children’s Online Privacy Protection Act (COPPA). ClassLink maintains and protects only that information which enables users to operate ClassLink services.

ClassLink is iKeepSafe Certified: The iKeepSafe COPPA Safe Harbor Certification program ensures that practices surrounding collection, use, maintenance and disclosure of personal information from children under the age of 13 are consistent with principles and requirements of the Children’s Online Privacy Protection Act (COPPA). Companies that comply with the guidelines are awarded a badge, making it easy for parents and schools to identify products that are compliant with COPPA.

United States – Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA sets forth protocols for ensuring privacy and security of personally identifiable information of students. ClassLink adheres to the data protection protocols set forth in FERPA.

ClassLink is iKeepSafe Certified: The iKeepSafe FERPA Certification demonstrates compliance with the federal mandates as well as iKeepSafe’s rigorous guidelines through the published Product Profile.

California – California Student Privacy Certification (CSPC) issued by iKeepSafe

The CSPC builds on iKeepSafe’s FERPA Assessment and COPPA Safe Harbor, which help educators and parents find products that meet the expectations of federal privacy laws. This certification is recommended for operators and providers of websites and online services that are, whole or in part, intended for use in and by schools. Earning the iKeepSafe CSPC asserts that your technology company is a leader in student privacy.

The certification assesses for federal and California laws governing student data privacy, including:

• Family Educational Rights and Privacy Act (“FERPA”)
  
• Protection of Pupil Rights Amendment (“PPRA”)
  
• California Education Code 49073.6 – Collection of Student Information from Social Media
  
• California AB 1584, Education Code section 49073.1 – Privacy of Pupil Records: 3rd-Party Digital
  
• Storage & Education Software
  
• Student Online Personal Information Protection Act (“SOPIPA”)
  

ClassLink provides contact information on its website for inquiries or complaints regarding compliance with the Privacy Shield. The ClassLink contact web page is classlink.com/contact.

In addition to the above guiding principles on personal data:

• Location: ClassLink contracts with educational agencies in California are governed by and construed in accordance with the laws of the State of California. Additionally, educational agencies in the United States are serviced by ClassLink servers and database infrastructure that are based in the United States.
  

Colorado - The Student Data Transparency and Security Act

ClassLink is compliant with the regulations put forth by the Colorado Department of Education. Effective August 10, 2016, the Student Data Transparency and Security Act (PDF) (HB16-1423; C.R.S.22-16-101 et seq.), brought statewide attention to Student Data Privacy. The purpose of this Law is to increase the transparency and security of all Student Personally Identifiable Information (Student PII) that the Colorado Department of Education (CDE) and Local Education Providers (LEPs) collect and maintain. The Law aims to maximize trust in the use of student data in the elementary and secondary education system, by having vendors contracting with schools or educational agencies in Colorado contractually agree to comply with certain requirements if they are to collect information from students.

Connecticut – § 10-234aa through § 10-234dd, Student Data Privacy

ClassLink is compliant with the regulations put forth by § 10-234aa through § 10-234dd, An Act Concerning Student Data Privacy.

In addition to the above guiding principles on personal data:

• Location: ClassLink contracts with educational agencies in Connecticut are governed by and construed in accordance with the laws of the State of Connecticut. Additionally, educational agencies in the United States are serviced by ClassLink servers and database infrastructure that are based in the United States.
  

Florida – Fla. Stat. § 1002.22, Education records and reports of K-12 students; rights of parents and students; notification; penalty (§1002.22); and Fla. Stat. § 1002.222, Limitations on collection of information and disclosure of confidential and exempt student records (§1002.222)

‍ClassLink is compliant with the regulations put forth by Fla. Stat. § 1002.22, Education records and reports of K-12 students; rights of parents and students; notification; penalty (§1002.22); and Fla. Stat. § 1002.222, Limitations on collection of information and disclosure of confidential and exempt student records (§1002.222).

In addition to the above guiding principles on personal data:

• Biometric data of students, parents, and siblings: ClassLink does not collect biometric information as defined statute for students, parents, and siblings in Florida.
  
• Location: ClassLink contracts with educational agencies in Florida are governed by and construed in accordance with the laws of the State of Florida. Additionally, educational agencies in the United States are serviced by ClassLink servers and database infrastructure that are based in the United States.
  

New York State – Education Law §2-d (Section 2-d) and the Personal Privacy Protection Law, Article 6-A of the Public Officers Law (PPPL)

‍ClassLink is compliant with the regulations put forth by the Education Law §2-d and the Personal Privacy Protection Law (PPPL), Article 6-A of the Public Officers Law.

In addition to the above guiding principles on personal data:

• Location: ClassLink contracts with educational agencies in New York are governed by and construed in accordance with the laws of the State of New York. Additionally, educational agencies in the United States are serviced by ClassLink servers and database infrastructure that are based in the United States.
  
• Parents’ Bill of Rights: ClassLink includes the Parents’ Bill of Rights with every ClassLink contract in New York State.
  

Utah – Data Privacy Agreement

ClassLink is compliant with the regulations put forth for third-party contractors by Title 53E-9-309. This legislation requires schools to include student data privacy provisions in all third-party agreements that receive student personally identifiable information (PII). ClassLink contracts with educational agencies in Utah are governed by and construed in accordance with the laws of the State of Utah. Additionally, educational agencies in the United States are serviced by ClassLink servers and database infrastructure that are based in the United States.