Agile Mind Data Privacy and Security Plan
Last revised: November 15, 2023
- The Agile Mind Data Privacy and Security Policy (this document) is available here: https://www.agilemind.com/data-privacy-plan/
- The Agile Mind Privacy Policy is available here: https://www.agilemind.com/privacy-policy/
- Agile Mind shall not sell personally identifiable information (PII) nor use or disclose it for any marketing or commercial purpose or permit another party to do so.
- Agile Mind shall maintain administrative, operational and technical safeguards and practices in place to protect PII, which shall align with the NIST Cybersecurity Framework, including:
- PII data will be protected using encryption while in motion and at rest by serving all data via HTTPS and storing it in a secure manner.
- PII will be stored in a manner as to protect its security and to mitigate any potential security risks. Specifically, all student, teacher, principal, and/or administrator data will be stored by Data at Rest Encryption. The security of this data will be ensured by limited employee access to production databases and SFTP sites.
- Physical access to PII by individuals or entities shall be controlled as follows: databases are housed in a secure data center with physical security and a named access list for visitors.
- All PII data will be stored in servers physically housed in the contiguous United States.
- Agile Mind shall ensure that no PII is disclosed to employees, subcontractors, or other persons or entities unless they have a legitimate educational interest and only for purposes necessary to provide services. All subcontractors are subject to the same restrictions and security as full time employees.
- Agile Mind shall ensure that all employees, subcontractors, and other persons or entities who have access to PII will abide by all applicable data protection and security requirements, including, but not limited to those outlined in applicable laws and regulations (e.g., FERPA, Education Law Section 2-d). Agile Mind shall provide training to any employees, subcontractors, or other persons or entities to whom it discloses PII on a yearly basis.
- Agile Mind shall not disclose PII to any other party other than those set forth in paragraph 5 above without prior written parental consent or unless required by law or court order. If disclosure of PII is required by law or court order, Agile Mind shall notify the originator of said PII (Partner) no later than the time the PII is disclosed unless such notice is expressly prohibited by law or the court order.
- Upon expiration of the contract, the PII will be returned to the Partner and/or destroyed. Specifically, the Partner has access to all data during the lifetime of the contract; when the contract is exited, Agile Mind can anonymize the student, staff, district, and school names thus effectively destroying existing PII.
- A parent, student, teacher, principal, or administrator may challenge the accuracy of the data collected by sending a detailed written description of the challenge to the VP of Engineering, currently Michael Klobe, at Agile Mind corporate headquarters, currently 1701 W Northwest Hwy #290, Grapevine, TX 76051.
- Agile Mind shall take the following steps to identify breaches or unauthorized releases of PII and to notify the Partner upon learning of an unauthorized release of PII:
- Provide prompt notification to the Partner no later than seven (7) calendar days from the date of discovery of a breach or unauthorized release of PII. Agile Mind shall provide notification to the Partner’s data privacy officer by phone and by email.
- Agile Mind shall cooperate with the Partner and law enforcement to protect the integrity of the investigation of any breach or unauthorized release of PII.
- Agile Mind will modify this plan to make the storage, use, and transmission of PII consistent with the Partner’s Data Security and Privacy Policy when practical.
- Agile Mind will review and revise this plan on a yearly basis.
