Sales on Personalized Art Keepsakes for the Holidays!  ORDER by December 18
Sales on Holiday Art Keepsakes
Order by December 19
also see Privacy Center

Comparison of Artsonia Terms of Service and Privacy to Best Practices

The U.S. Department of Education established the Privacy Technical Assistance Center (PTAC) as a “one-­‐stop” resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student data. More PTAC information and general student privacy information is available from the U.S. Department from Education at: https://studentprivacy.ed.gov/.  In February 2014, PTAC issued guidance titled “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices”.  Additionally, in January 2015, PTAC issued a Model Terms of Service document to further assist schools and school districts in implementing that guidance.

The table below (copied in part from the PTAC recommendations) summarizes the PTAC recommendations regarding key Terms of Service provisions from their Model Terms of Service. Per PTAC, the “GOOD!” column contains PTAC’s best practice recommendations for Terms of Service privacy provisions. The “WARNING!” column contains provisions that PTAC believes represent poor privacy policy and may violate FERPA or other statutes. Given that few Terms of Service agreements will be worded exactly like the “GOOD!” or the “WARNING!” column, PTAC added the “Explanation” column to provide context to help schools interpret the rationale behind the PTAC recommendations.

Artsonia has then provided in the last column a summary of Artsonia’s relevant practice and Terms or Service and Privacy Policy provisions relating to each of the PTAC recommendations to help you better assess our Terms of Service and Privacy Policy and your compliance with the

Family Education Rights and Privacy Act (FERPA) and other privacy laws.

*Please see our FAQ’s for more information on Education Records and Directory Information under FERPA.

Privacy-Related Terms of Service Provisions — PTAC Guidance

 

 Provision

GOOD! This is a Best Practice

WARNING! Provisions That Cannot or Should Not Be Included in TOS

Explanation

from PTAC

Artsonia Practices and Relevant Provisions

1

Definition of “Data”

“Data include all Personally Identifiable Information (PII) and other non-­‐public information. Data include, but are not limited to, student data, metadata, and user content.”

Beware of provisions that limit the definition of protected data:

“Data only include user information knowingly provided in the course of using (this service).”

The definition of data should include a broad range of information to which providers may have access in order to ensure as much information as possible is protected in the agreement. Beware of provisions that narrowly define the “Data,” “Student Information,” or “Personally Identifiable Information” that will be protected.

First, you should understand that Artsonia is a service for parents, students, fans of artists, and teachers (it is not just for student related information and not all information collected or submitted to Artsonia will be considered an education record under FERPA).

 

Artsonia has a very broad and inclusive definition of personal information- which you can find here and is protected as set forth in our Privacy Policy.

 

“Personal information is data that can be used to identify or contact a particular individual, such as the individual’s name, email address or billing information, or other data which can be reasonably linked to that data or to that individual’s specific computer or device. When anonymous or non-personal information is directly or indirectly linked with personal information, this anonymous or non-personal information is also treated as personal information. We will consider persistent identifiers that are not anonymized, de-identified or aggregated as personal information.”

 

Additionally, we follow the definition of personal information under the Children’s Online Privacy Protection Act (“COPPA”) for any personal information collected from children under 13. Please see the COPPA FAQ for more information.

 

We also have a broad definition of what is deemed “Your Information and Content” that you submit to the Artsonia Service in our Terms of Service – what we refer to as “User Submissions”

 

We also have an entire section devoted to FERPA in our Terms of Service

 

2

Data

De-­‐Identification

“Provider may use de-­‐ identified Data for product development, research, or other purposes. De-­‐identified Data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID. Furthermore, Provider agrees not to attempt to re-­‐identify de-­‐ identified Data and not to transfer de-­‐identified Data to any party unless that party agrees not to attempt re-­‐ identification.”

Beware of provisions that define de-­‐identification narrowly (as only the removal of direct identifiers, such as names and ID numbers) or lack a commitment from Providers to not re-­‐identify the Data:

“Provider may use de-­‐ identified Data for product development, research, or other purposes. De-­‐identified Data will have all names and ID numbers removed.

There is nothing wrong with a provider using de-­‐ identified data for other purposes; privacy statutes, after all, govern PII, not de-­‐ identified data. But because it can be difficult to fully de-­‐ identify data, as a best practice, the agreement should prohibit re-­‐ identification and any future data transfers unless the transferee also agrees not to attempt re-­‐ identification.

It is also a best practice to be specific about the de-­‐ identification process. De-­‐ identification typically requires more than just removing any obvious individual identifiers, as other demographic or contextual information can often be used to re-­‐identify specific individuals.

Retaining location and school information can also greatly increase the risk of re-­‐identification.

Artsonia Terms of Service (FERPA section) section:

 

“Artsonia may use Directory Information and Education Records that have been de-identified for product development, research or other purposes (“De-Identified Data”). De-Identified Data will have all direct and indirect personal identifiers removed, this includes, but is not limited to, name, date of birth, demographic information, location information and school identity. Artsonia agrees not to attempt to re-identify the De-Identified Data and not to transfer the De-Identified Data to a third party unless that party agrees not to attempt re-identification.”

 

 

3

Marketing and Advertising

“Provider will not use any Data to advertise or market to students or their parents.

Advertising or marketing may be directed to the [School/District] only if student information is properly de-­‐identified.”

Or

“Data may not be used for any purpose other than the specific purpose(s) outlined in this Agreement.”

(If this provision is present, check to make certain there is nothing else in the agreement that would allow marketing/advertising).

“Provider may use Data to market or advertise to students or their parents.”

The TOS should be clear that data and/or metadata may not be used to create user profiles for the purposes of targeting students or their parents for advertising and marketing, which could violate privacy laws.

Artsonia has committed to the principles of the Student Privacy Pledge.

Additionally, Artsonia explicitly states in our Privacy Policy: ”information collected from students (including personal information and information collected automatically) is never used or disclosed for third-party advertising. Additionally, personal information collected from students is never used for behaviorally-targeted advertising to students (first or third party). Lastly, children’s personal information is never sold or rented to anyone, including marketers or advertiser.

*We have this same commitment in our Terms of Service: “Artsonia will never share PII contained in Education Records or Directory Information with third parties except (i) as directed by an Artsonia user (i.e., School Personnel sharing with other School Personnel or parents); or (ii) to our service providers that are necessary for us to provide the Service, as stated in our Privacy Policy. PII contained in Education Records or Directory Information is never used or disclosed for third-party advertising or any kind of first- or third-party behaviorally-targeted advertising to students or parents. Additionally, personal information collected directly from a student using Artsonia is never used or disclosed for third-party advertising, or any kind of first- or third-party behaviorally-targeted advertising to the student, and personal information collected from a student is never sold or rented to anyone. This section shall not be construed to (i) prohibit Artsonia from marketing or advertising directly to parents or other users so long as the marketing or advertising did not result from the use of PII contained in Educational Records to provide behaviorally-targeted advertising or (ii) limit the ability of Artsonia to use student information, Directory Information, or Educational Records for adaptive learning or customized student learning purposes.

Artsonia may use Directory Information and Education Records that have been de-identified for product development, research or other purposes (“De-Identified Data”). De-Identified Data will have all direct and indirect personal identifiers removed, this includes, but is not limited to, name, date of birth, demographic information, location information and school identity. Artsonia agrees not to attempt to re-identify the De-Identified Data and not to transfer the De-Identified Data to a third party unless that party agrees not to attempt re-identification.”

4

Modification of Terms of Service

“Provider will not change how Data are collected, used, or shared under the terms of this Agreement in any way without advance notice to and consent from the [School/District].”

“Provider may modify the terms of this Agreement at any time without notice to or consent from the [School/District].”

Or

“Provider will only notify the [School/District] of material changes.”

Schools/districts should maintain control of the data by preventing the provider from changing its TOS without the school’s/district’s consent.

A provider that agrees to give notice of TOS changes is good; a provider that agrees not to change the TOS without consent is better.

Artsonia Terms of Service state:

“We may modify this Agreement or Guidelines to, for example, reflect changes to the law or changes to our Service. You should look at the Agreement regularly. We last modified this Agreement on the date stated above. We'll post notice of modifications to this Agreement on this page or elsewhere on the Artsonia Website or Artsonia App. Changes will not apply retroactively and will only become effective when (a) you use the Service after you know about the change, or (b) thirty days after they are posted (whichever is sooner). However, changes addressing new functions for a Service or changes made for legal reasons will be effective immediately. Your continued use of the Service, following notice of the changes to the Agreement or Guidelines, constitutes your acceptance of our amended terms, policies or guidelines. If you do not agree to the modified Agreement, you should discontinue your use of the Service.

Artsonia will not materially change how PII contained in Education Records is used or shared under these Terms of Service without advance notice. If a change has a material adverse impact on the School Personnel or Institution and the School Personnel or Institution does not agree to the change, the School Personnel or Institution must notify Artsonia within thirty days of receiving the notice of change as described in the Contacting Artsonia section below. If School Personnel or Institution notifies Artsonia as required, then the School Personnel or Institution will remain governed by the Terms of Service in effect immediately prior to the change until the end of the then current Term. If the Service is renewed, they will be renewed under Artsonia's then current Terms of Service.

Additionally, Artsonia’s Privacy Policy states the following: “We may revise our Privacy Policy from time to time. You can see when the last update was by looking at the "Last Updated" date at the top of this page. We won't reduce your rights under this Privacy Policy without your explicit consent. If we make any significant changes, we'll provide prominent notice by posting a notice on the Service and/or notifying you by email (using the email address you provided), so you can review and make sure you know about them.

In addition, if we ever make significant changes to the types of personal information we collect from children, or how we use it, we will notify parents in order to obtain parental consent or notice for those new practices.

5

Data Collection

“Provider will only collect Data necessary to fulfill its duties as outlined in this Agreement.”

An absence of a data collection restriction (see left) could potentially allow vendors to collect a wide array of student information.

Also watch for:

“If user gains access through a third-­‐party website (such as a social networking site), personal information associated with that site may be collected.”

If the agreement relates to FERPA-­‐protected data, a provision like the one represented in the “GOOD!” column may be necessary. Including a provision that limits data collection to only what is necessary to fulfill the agreement is a best practice.

Providers may view user access to their services through a third-­‐party social networking site as an exception to established rules limiting data collection.

Artsonia makes this commitment in our Privacy Policy:

“Artsonia collects the minimal amount of information from children necessary to use our Service.”

“Beyond this, student access to our Service does not allow the child the ability to upload any other content to their account, or enter any other personal information.”

“We will not require children to provide more personal information than is reasonably necessary in order to participate in the Service.”

We also reaffirm in our Terms of Service: “We request minimal personal information to be provided from students to use the Service. Please do not provide any personal information about yourself to us, other than what we request from you when you use the Service or as directed by your School Personnel, school or district, such as through the use of the Classroom Mode feature.”

6

Data Use

“Provider will use Data only for the purpose of fulfilling its duties and providing services under this Agreement, and for improving services under this Agreement.”

Beware of any provision that contains the phrase:

“without providing notice to users.”

Schools/districts should restrict data use to only the purposes outlined in the agreement. This will help schools/districts maintain control over the use of FERPA-­‐protected student information and ensure appropriate data use.

Our use of personal information collected for all users is set forth in our Privacy Policy under the “How We Use the Information We Collect” section.

 

Additionally, with respect to children’s information we state in our Privacy Policy: “We use this information to provide the Service to the child, for security and safety purposes, or as required by law or to enforce our Terms.”

 

We also make the further commitment in our Privacy Policy and Terms of Service:” Artsonia does not sell or rent any of your or your child's personal information to any third party for any purpose – including for advertising and marketing purposes. Third-party advertising is not permitted on the Artsonia Website or Artsonia App and personal information collected from students is never used for behaviorally-targeted advertising to students (first or third party).”

 

In our Terms of Service, we also address this as well in the “Your Information and Content” Section. We first make it clear that you own any User Submissions and that we do not claim any ownership rights in your User Submissions. In order to allow Artsonia to provide the service, we ask that you provide us a limited license. We have limited this license to 4 specific uses and have also included when these license rights terminate.

 

Those four rights are to:

i.            use, host, copy, store, distribute, publicly perform and display, publish (in whole or in part), modify, and create derivative works (such as changes we make so that your content works better with our Service or to produce Custom Merchandise) such User Submissions as necessary to (a) provide, improve and make the Service available to you and other users, (b) produce (including sharing with our service providers) Custom Merchandise depicting the User Submissions and (c) provide the Lesson Plans to third parties (if you opt-in to such sharing), including through any future media in which the Service may be distributed;

ii.            use and disclose metrics and analytics regarding the User Submissions in an aggregate or other non-personally identifiable manner (including, for use in improving our Service or in marketing and business development purposes);

iii.            use any User Submission (including any Education Record) that has been de-identified for any product development, research or other purpose; and

iv.            use for other purposes permitted by the Artsonia Privacy Policy.

Artsonia will only share and use your personal information in accordance with Artsonia's current Privacy Policy.

Termination of these license rights:

The license in (i)(a) above will terminate when you delete any User Submissions with intellectual property rights (like images or videos) ("IP content")), you or your Institution (as defined below) deletes an Education Record, you delete any personal information, or you delete your account, unless your User Submission has been shared with others, and they have not deleted it. When you post a User Submission on the Artsonia Website, this is publicly available, and it means that you are allowing everyone, including people unaffiliated with Artsonia, to access and use that information, and to associate it with you (i.e., your name and profile picture if you provide one as a School Personnel or any artwork uploaded). Note, however, that any User Submissions that may be in or related to messages sent through Artsonia may be kept after you delete your account. Please see the section entitled Deleting Your Account in our Privacy Policy for more information. When you delete IP content, Education Records, or personal information, it is deleted in a manner similar to emptying the recycle or trash bin on a computer. However, you understand that any removed User Submission may persist in backup copies for a reasonable period of time (but will not be available to others).

Parents acknowledge and agree that the license granted in (i)(b) may mean that third parties that are not related to or known to parent may purchase Artsonia Custom Merchandise containing their child's User Submission (e.g. artwork and title), and that parent has granted such license when they consent to their child's artwork being posted publicly on the Service. The license in (i)(b) above will terminate when your withdrawal your consent or delete the IP Content, provided, however, that such license will continue for Custom Merchandise previously purchased by third parties prior to such withdrawal or deletion.

School Personnel acknowledge and agree that the license granted in (i)(c) will not be effective unless School Personnel "opts-in" to sharing of Lesson Plans and will continue until School Personnel turns off such sharing for that particular Lesson Plan. However, School Personnel understands and agrees that "turning -off" or "opting-out" with regard to a previously submitted Lesson Plan does not terminate any sub-licenses to the affected lesson plan(s) previously granted by Artsonia to any third parties, but Artsonia thereafter shall not grant any additional sub-licenses for the affected Lesson Plan.

7

Data Mining

“Provider is prohibited from mining Data for any purposes other than those agreed to by the parties. Data mining or scanning of user content for the purpose of advertising or marketing to students or their parents is prohibited.”

“Provider can mine or scan Data and user content for the purpose of advertising or marketing to students or their parents.”

While data mining or scanning may sometimes be a necessary component of online services (e.g., for malware/spam detection or personalization tools), schools/districts should prohibit any mining or scanning for targeted advertising directed to students or their parents.

Such provisions could lead to a violation of FERPA or the PPRA.

Artsonia Terms of Service state the following:

“Our automated systems analyze your User Submissions (including emails) to provide you personally relevant product features, such as customized search results, and for spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored. Artsonia will not analyze any personal information contained in Educational Records for the purpose of providing behaviorally-targeted advertising to students or parents. The foregoing shall not be construed to (i) prohibit Artsonia from marketing or advertising directly to parents so long as the marketing or advertising did not result from the use of personal information contained in Educational Records to provide behaviorally-targeted advertising or (ii) to limit the ability of Artsonia to use Educational Records for adaptive learning or customized student learning purposes.”

8

Data Sharing

“Data cannot be shared with any additional parties without prior written consent of the User except as required by law.”

Or

“The [School/District] understands that Provider will rely on one or more subcontractors to perform services under this Agreement. Provider agrees to share the names of these subcontractors with User upon request. All subcontractors and successor entities of Provider will be subject to the terms of this Agreement.”

“Provider may share information with one or more subcontractors without notice to User.”

Or

“Where feasible, Provider will require third-­‐party vendors to comply with these Terms of Service.”

While it is perfectly acceptable for providers to use subcontractors, schools/districts should be made aware of these arrangements and subcontractors should be bound by the limitations in the TOS.

Artsonia’s Privacy Policy states the following and includes a list of our service providers:

“We do not disclose any personal information about children to third parties, except to service providers necessary to provide the Service, as required by law, or to protect the security of the Service or other users. Information collected from students (including personal information and information collected automatically) is never used or disclosed for third-party advertising. Additionally, personal information collected from students is never used for behaviorally-targeted advertising to students (first or third party). Lastly, children's personal information is never sold or rented to anyone, including marketers or advertisers."

Additionally, Artsonia’s Privacy Policy makes the following commitment:

Service Providers: “Third-party advertising is not permitted on Artsonia and personal information collected from students is never used for behaviorally-targeted advertising to students (first or third party). We do work with vendors, service providers, and other partners to help us provide the Service by performing tasks on our behalf. We may need to share or provide information (including personal information) to them to help them perform these business functions, for example sending emails on our behalf, database management services, database hosting, fulfilling product orders, providing customer support software, and security. Generally, these partners and service providers do not have the right to use your personal information we share with them beyond what is necessary to assist us. Additionally, these partners and service providers must adhere to confidentiality and security obligations in a way that is consistent with this Privacy Policy.

Artsonia also makes the following commitment in our Terms of Service:

“Artsonia will never share PII contained in Education Records or Directory Information with third parties except (i) as directed by an Artsonia user (i.e., School Personnel sharing with other School Personnel or parents); or (ii) to our service providers that are necessary for us to provide the Service, as stated in our Privacy Policy. PII contained in Education Records or Directory Information is never used or disclosed for third-party advertising or any kind of first- or third-party behaviorally-targeted advertising to students or parents. Additionally, personal information collected directly from a student using Artsonia is never used or disclosed for third-party advertising, or any kind of first- or third-party behaviorally-targeted advertising to the student, and personal information collected from a student is never sold or rented to anyone. This section shall not be construed to (i) prohibit Artsonia from marketing or advertising directly to parents or other users so long as the marketing or advertising did not result from the use of PII contained in Educational Records to provide behaviorally-targeted advertising or (ii) limit the ability of Artsonia to use student information, Directory Information, or Educational Records for adaptive learning or customized student learning purposes.”

9

Data Transfer or Destruction

“Provider will ensure that all Data in its possession and in the possession of any subcontractors, or agents to which the Provider may have transferred Data, are destroyed or transferred to the [School/District] under the direction of the [School/District] when the Data are no longer needed for their specified purpose, at the request of the [School/District].”

Beware of any provision that contains:

“maintain(s) the right to use Data or user content.”

While FERPA does not specify that education records shared under some of its exceptions must be returned or destroyed at the end of the contract, it is a best practice to require this. Data return or destruction helps limit the amount of personal information available to third parties and prevent improper disclosure. This provision also helps schools/districts maintain control over the appropriate use and maintenance of FERPA-­‐ protected student information.

Artsonia’s Privacy Policy states the following:

“We only keep a child's personal information for as long as his or her student account is active, unless we are required by law to retain it, need it to ensure the security of our community or our Service, or to enforce our Terms. Additionally, Artsonia follows the following policy for all students' information regardless of age.

If a student's account is inactive for two years or more (meaning no teacher has given feedback to the student or otherwise interacted with the student, and neither the parent nor the student have logged into his or her account), Artsonia will automatically delete or de-identify the personal information associated with the student account, including all personal information provided by students or collected by Artsonia from students and any feedback received from teachers.

Please check here for more information on our data retention policies surrounding children's personal information.”

Artsonia’s Privacy Policy also allows a teacher to request deletion of the information they provide at any time:

“We store your personal information for as long as it is necessary to provide products and Services to you and others, including those described above. Personal information associated with your account will be kept until your account is deleted, unless we no longer need the data to provide products and services.

Please note that we may have to retain some information after your account is closed, to comply with legal obligations, to protect the safety and security of our community or our Service, or to prevent abuse of our Terms. You can, of course, delete your account at any time, as per the Deleting Your Account section.

Student Data Protection Policy: In addition to the policy above that applies to all users, we only keep a student's personal information while the student's account is active, unless we are required by law to retain it, need it to ensure the security of our community or our Service, or to enforce our Terms. Additionally, we collect minimal information from students, and automatically delete or de-identify the personal information associated with student accounts if they are inactive for two years (including deletion of feedback given by teachers). Read more details about this student-friendly policy in the How Long Does Artsonia Keep Children's Information section.

Please check here for more information on our data retention policies surrounding children's personal information and here for information on our data retention policies in general.”

“If for some reason you ever want to delete your account (or your child's account, if you are his or her parent), you can do that at any time by contacting us as described in the Contacting Artsonia section below.”

Artsonia’s Privacy Policy also states the following: “When you delete your account, we delete your profile information and any other content you provide in your profile (such as your name, screenname, password, email address, bio, and profile photos) and depending on the category of user you are (i.e., teacher, parent, Fan Club Member or student) additional information such as artwork, comments, compliments, feedback on artwork and information collected through mobile permissions you've granted. Information that you have shared with others, others have shared about you, or content other users may have copied and stored, is not part of your account and may not be deleted when you delete your account. For more details, please read "What happens when I terminate or delete my account?" in our HelpDesk.”

Artsonia’s Terms of Service also address this in the Termination section:

“This Agreement shall remain in full force and effect while you use the Service unless your account is terminated as provided in this Agreement ("Term"). You may terminate your use of the Service or your account at any time by contacting us as described in the Contacting Artsonia section below. As a parent, you can also terminate your child's account the same way, although we will need to verify your identity (such as requiring that you send the request to us from the same email address you used to provide your consent to activate the student account originally). Click here for what information is deleted when you terminate or delete your account.”

10

Rights and License in and to Data

“Parties agree that all rights, including all intellectual property rights, shall remain the exclusive property of the [School/District], and Provider has a limited, nonexclusive license solely for the purpose of performing its obligations as outlined in the Agreement. This Agreement does not give Provider any rights, implied or otherwise, to Data, content, or intellectual property, except as expressly stated in the Agreement. This includes the right to sell or trade Data.”

“Providing Data or user content grants Provider an irrevocable right to license, distribute, transmit, or publicly display Data or user content.”

Maintaining ownership of data to which the provider may have access allows schools/districts to retain control over the use and maintenance of FERPA-­‐ protected student information. The “GOOD!” provision will also protect against a provider selling information.

Please see above under the Data Use Section for more detail on the limited license granted to Artsonia as well as the specific ability for the user to terminate these license rights.

Additionally, Artsonia’s Terms of Service state that: “You retain all ownership rights you have in any User Submissions. Artsonia does not claim any ownership rights in the User Submissions.”

 

11

Access

“Any Data held by Provider will be made available to the [School/District] upon request by the [School/District].”

Beware of any provision that would limit the school’s or district’s access to the Data held by Provider.

FERPA requires schools/districts to make education records accessible to parents. A good contract will acknowledge the need to share student information with the school upon request in order to satisfy FERPA’s parental access requirements. As a best practice, parental access to their children’s data should be seamless.

Artsonia’s Privacy Policy states the following:

“Artsonia aims to provide you with easy access to any personal information we have collected about you. If that information is incorrect, we give you easy ways to update it, or to delete it, unless we have to keep that information for legitimate business (e.g., we need at least an email address for your account) or legal purposes.

·         Accessing Your Information: You have a right to request access to your personal information controlled by Artsonia by contacting us as described in the Contacting Artsonia section below. In some cases, we won't be able to guarantee complete access due to legal restrictions - for example, you will not be allowed to access files that contain information about other users or information that is confidential to us.

·         Managing Your Information: You may update, correct, or delete some of your profile information or your preferences at any time by logging into your account on Artsonia and accessing your account settings page. You may also, at any time, update, correct, or delete certain personal information that you have provided to us by contacting us as described in the Contacting Artsonia section below. When updating your personal information, we may ask you to verify your identify before we can act on your request. We will respond to your request within a reasonable timeframe. Please note that while your changes may be reflected promptly in active content, users that have previously accessed the content may still have access to old copies cached on their device or may have copied and stored your content. You may also exercise your control or choices with the communications we send you as set forth in Communications from Artsonia section below.

·         Accessing Your Child's Information: Take a look at our Parental Choices section to see how you can obtain copies of your child's personal information.

We may reject requests for access, change or deletion that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup systems).

Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, even after you update or delete personal information you have provided us from our Service, your personal information may be retained in our backup files and archives for a reasonable period of time for legal purposes or for so long as is necessary in light of the purposes for which such records were collected or legitimately further processed.”

12

Security Controls

“Provider will store and process Data in accordance with industry best practices. This includes appropriate administrative, physical, and technical safeguards to secure Data from unauthorized access, disclosure, and use.

Provider will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Provider will also have a written incident response plan, to include prompt notification of the [School/District] in the event of a security or privacy incident, as well as best practices for responding to a breach of PII. Provider agrees to share its incident response plan upon request.”

The lack of a security controls provision, or inclusion of a provision that sets a lower standard for Provider’s security of Data, would be a bad practice and potentially violate FERPA.

Failure to provide adequate security to students’ PII is not a best practice and could lead to a FERPA violation.

Artsonia has committed to the principles of the Student Privacy Pledge, including adhering to their best practice tips related to security.

Additionally, Artsonia’s Privacy Policy states the following:

“The security of your personal information is important to us. To prevent unauthorized access, disclosure, or improper use of your information, and to maintain data accuracy, we've established physical, technical, and administrative safeguards to protect the personal information we collect. In particular:

·         We periodically review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.

·         When you enter any information anywhere on the Service, we encrypt the transmission of that information using secure socket layer technology (SSL) by default.

·         Artsonia's database where we store your personal information is encrypted at rest, which converts all personal information stored in the database to an unintelligible form.

·         As an added measure of security, we ensure passwords are stored and transferred securely using encryption and salted hashing.

·         Artsonia's Website is hosted by third-party service providers at separate facilities, with whom we have a contract providing for enhanced security measures. For example, personal information is stored on a server equipped with industry standard firewalls. In addition, the hosting facilities provide 24 X 7 security system, camera surveillance, and locked cage areas.

·         We restrict access to personal information to authorized Artsonia employees, agents or independent contractors who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

For additional information on our security practices, please visit our Privacy Center. Although we make concerted good faith efforts to maintain the security of personal information, and we work hard to ensure the integrity and security of our systems, no practices are 100% immune, and we can't guarantee the security of information. Outages, attacks, human error, system failure, unauthorized use or other factors may compromise the security of user information at any time. “

“If we learn of a security breach, we will attempt to notify you electronically (subject to any applicable laws) so that you can take appropriate protective steps; for example, we may post a notice on the Artsonia Website or elsewhere on the Service, and may send email to you at the email address you have provided to us. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.”