StoryJumper Data Security & Privacy Plan for Educational Accounts

  1. Data Security.
    StoryJumper agrees to abide by and maintain adequate data security measures, consistent with industry standards and technology best practices, to protect Student Data from unauthorized disclosure or acquisition by an unauthorized person. Our general security duties are set forth below. These measures include, but are not limited to:
    1. Passwords and Employee Access. StoryJumper will secure usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by Article 4.3 of NIST 800-63-3. StoryJumper will only provide access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data will have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records will pass criminal background checks.
    2. Destruction of Data. StoryJumper will destroy or delete all Personally Identifiable Data contained in Student Data and obtained under the Educational Account ("EA") Agreement when it is no longer needed for the purpose for which it was obtained according to a schedule and procedure as the parties may reasonably agree.
    3. Security Protocols. Both parties agree to maintain security protocols that meet industry best practices in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. StoryJumper will maintain all data obtained or generated pursuant to the EA Agreement in a secure computer environment and not copy, reproduce, or transmit data obtained pursuant to the EA Agreement, except as necessary to fulfill the purpose of data requests by Educational Account Administrator, including request for Services.
    4. Employee Training. StoryJumper will provide periodic security training to those of its employees who operate or have access to the system. Further, at EA Administrator’s request, StoryJumper will provide EA Administrator with contact information of an employee who they may contact if there are any security concerns or questions.
    5. Security Technology. All data transfers are over encrypted or private networks. Student Data and Teacher Data are primarily stored in encrypted databases on our private, secure computing instances. When the service is accessed using a supported web browser, Secure Socket Layer (“SSL”), or equivalent technology will be employed to protect data from unauthorized access. The service security measures will include server authentication and data encryption. StoryJumper will host data pursuant to the EA Agreement in an environment using a firewall that is periodically updated according to industry standards.
    6. Security Coordinator. Upon request, StoryJumper will provide the name and contact information of StoryJumper’s Security Coordinator for the Student Data received pursuant to the EA Agreement.
    7. Subprocessors Bound. StoryJumper will enter into written agreements whereby Subprocessors agree to secure and protect Student Data in a manner consistent with these terms.
    8. Periodic Risk Assessment. StoryJumper further acknowledges and agrees to conduct periodic risk assessments and remediate any identified security and privacy vulnerabilities in a timely manner.
    9. Backups. StoryJumper agrees to maintain backup copies, backed up at least daily, of Student Data in case of StoryJumper’s system failure or any other unforeseen event resulting in loss of Student Data or any portion thereof.
    10. Audits. Upon receipt of a request from the EA Administrator, StoryJumper will allow the EA Administrator to audit the security and privacy measures that are in place to ensure protection of the Student Record or any portion thereof. StoryJumper will cooperate fully with the EA Administrator and any local, state, or federal agency with oversight authority/jurisdiction in connection with any audit or investigation of StoryJumper and/or delivery of Services to students and/or EA Administrator, and will provide full access to the StoryJumper’s facilities, staff, agents and EA Administrator’s Student Data and all records pertaining to StoryJumper, EA Administrator and delivery of Services to StoryJumper. Failure to cooperate will be deemed a material breach of the Agreement.
    11. Challenge Data Accuracy. If a parent, student, or teacher would like to challenge the accuracy of the data collected, then they can log into their StoryJumper account and update their data, as needed. If further assistance is needed, then they can email “support@storyjumper.com” or use the Help buttons on StoryJumper.com.
    12. Data Location and Risk Mitigation. StoryJumper data is stored in: a) Digital Ocean in private secure instances. Only StoryJumper employees that need access to these computer instances have accounts on the instances. The instances use Digital Ocean firewalls to further limit access. b) Amazon S3 Cloud. We store images and backups which have expiration times in Amazon S3 which is protected by Amazon's security infrastructure. c) Google Cloud. We store audio files in the Google Cloud. The data is protected by Google's security infrastructure. Student Data and Teacher Data are primarily stored in secure databases on our private secure Digital Ocean instances. If students or teachers upload images or record audio files, they are stored securely in the Amazon S3 Cloud and in the Google Cloud. The databases are only accessible to the StoryJumper employees who need access to make our system function properly. Private Student and Teacher Data is only accessible to the Teacher and the student who created the data and StoryJumper only as far as it is required to implement functionality of the StoryJumper product. If the Teacher grants access to the data, only the people that are granted access have access to the data.
  2. Data Breach.
    In the event that Student Data is accessed or obtained by an unauthorized individual, StoryJumper will provide notification to the EA Administrator within an agreed upon time period from the incident. StoryJumper will follow the following process:
    1. The security breach notification will be written in plain language, will be titled “Notice of Data Breach,” and will present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
    2. The security breach notification described above in section 2(a) will include, at a minimum, the following information:
      • The name and contact information of the reporting EA Administrator subject to this section.
      • A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
      • If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification will also include the date of the notice.
      • Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
      • A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
    3. At EA Administrator’s discretion, the security breach notification may also include any of the following:
      • Information about what the agency has done to protect individuals whose information has been breached.
      • Advice on steps that the person whose information has been breached may take to protect himself or herself.
    4. StoryJumper agrees to adhere to all requirements in federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.
    5. StoryJumper further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide EA Administrator, upon request, with a copy of said written incident response plan.
    6. At the written request and with the assistance of the EA Administrator and/or by the respective school district, StoryJumper will notify the affected parent, legal guardian or eligible pupil of the unauthorized access, which will include the information listed in subsections (b) and (c), above.
We use cookies on this site. By continuing to use this site, we assume you consent for cookies to be used. See our Cookie Policy. GOT IT