Brigance Privacy Policy

Purpose.

Curriculum Associates takes the protection of our customers’ data and information, particularly student data, very seriously. The purpose of this Data Handling Statement is to inform Curriculum Associates’ customers about its current data security policies and practices, which are intended to safeguard this sensitive information. Curriculum Associates handles customer data in a manner consistent with applicable laws and regulations, including, without limitation, the Federal Family Educational Rights and Privacy Act (FERPA), the California Student Online Personal Information Protection Act (SOPIPA), the California Consumer Privacy Act and other applicable state student data privacy laws.

Scope.

This Policy covers the collection, use, and storage of data that is obtained through the use of Curriculum Associates’ Brigance Online Management System (the “Brigance OMS”) and related services provided by Curriculum Associates.

Network Level Security Measures.

Curriculum Associates’ Brigance OMS systems and servers are hosted in a cloud environment. Our hosting provider implements network-level security measures in accordance with industry standards. In addition, Curriculum Associates manages its own controls of the network environment, including centralized log collection and security information and event management (SIEM).

Server-Level Security Measures.

Access to production servers is limited to a small, identified group of operations engineers that are trained specifically for those responsibilities. The servers are configured to conduct daily updates for any security patches that are released and applicable. The servers have anti-virus, intrusion detection, configuration control, monitoring/alerting, and automated backups. In addition, we conduct regular vulnerability testing.

Computer/Laptop/Device Security Measures.

Curriculum Associates employs a full IT staff that manages and secures the corporate and employee systems. Laptops are encrypted and centrally managed with respect to configuration updates, anti-virus, and endpoint detection and response (EDR) technology.

Access to all Curriculum Associates computers and laptops is password-controlled. Curriculum Associates sets up teacher and administrator accounts for Brigance OMS so that they are also password-controlled.

Encryption.

Brigance OMS is accessible via https and all public network traffic is encrypted with the latest encryption standards. Encryption of data at rest is implemented for all data stored in the Brigance OMS system.

Employee and Contractor Policies and Procedures.

Curriculum Associates limits access to student and customer data to those employees who need to have such access in order to allow Curriculum Associates to provide quality products and services to its customers. Curriculum Associates requires all employees who have access to Curriculum Associates servers and systems to sign non-disclosure agreements. Curriculum Associates requires its employees and contractors who have access to student data to participate in annual training sessions on IT security policies and best practices. Any employee who ceases working with Curriculum Associates is reminded of his or her non-disclosure obligations at the time of departure, and network access is terminated at that time.

Collection of Student Data.

Curriculum Associates only receives student personally identifiable information in the Brigance OMS when educators input such data into the system. It does not otherwise collect any student data or receive other student personally identifiable information in connection with the Brigance OMS.

Use of Student Data.

Curriculum Associates only uses student data collected in connection with the use of Brigance OMS for the purpose of making Brigance OMS available to its customers and improving its content and effectiveness. Curriculum Associates only uses student-identifiable data to make Brigance OMS available and to provide related reports and services to school and school district teachers and administrators. Curriculum Associates does not sell any data it receives through use of the BRIGANCE OMS or otherwise share such data with any third parties.

Third Party Audits and Monitoring.

In addition to internal monitoring and vulnerability assessments, Curriculum Associates contracts with a third party to conduct annual security audits. Curriculum Associates reviews the third-party audit findings and will implement recommended security program changes and enhancements where practical and appropriate. Curriculum Associates also leverages a managed security service provider (MSSP) for 24/7/365 security monitoring and event response.

Data Retention and Destruction.

Student and teacher personal data is used only in the production systems and only for the explicitly identified functions of the Brigance OMS application. Student and teacher personal data is de-identified before any testing or research activities may be conducted. Upon the written request of a customer, Curriculum Associates will remove all personally identifiable student and teacher data from its production systems at the end of a contract. In addition, Curriculum Associates reserves the right, in its sole discretion, to remove a particular customer’s student data from its production servers a reasonable period of time after its relationship with the customer has ended, as demonstrated by the end of contract term or a significant period of inactivity in all customer accounts. Student data is removed from backups in accordance with Curriculum Associates’ data retention practices. If Curriculum Associates is required to restore any materials from its backups, it will purge all student-identifiable data not currently in use in the production systems from the restored backups.

Breach Notification.

Curriculum Associates follows documented “Security Incident Management Procedures” when investigating any potential security incident. In the event of a data security breach, Curriculum Associates will notify impacted customers as promptly as possible that a breach has occurred, and will inform them (to the extent known) what data has been compromised. Curriculum Associates expects customers to notify individual teachers and parents of any such breach to the extent required.