Super Teacher

Super Teacher for Schools’ Data Privacy and Security Plan

1. Introduction

Super Teacher Inc. (“Company,” “we,” “us,” or “our”) takes many measures to protect the privacy and security of our users’ data. This Data Privacy and Security Plan outlines the policies and procedures that we have or will implement to comply with relevant local, state, and federal laws applicable to us. This document covers Super Teacher for Schools, or school-based accounts in Super Teacher (the “Product”, “Services”). For non-school accounts, and for more general information beyond the scope of this document, please see our general privacy policy.

2. Data Collection and Use

The Product will collect and retain personal data necessary for the functionality in the app and to support internal Company operations. The following is data that could be considered Personally Identifiable Information (PII) that the Product may collect, store and use:

Student name
Teacher name
IP address or other device identifiers

Additionally, during a student's interaction with the Product, voice recordings will be collected to enable speech-based interactions. This is required for the Product to function. However, we will not retain a voice recording longer than necessary to transcribe the recording using automatic speech-transcription technology – after which the recording is promptly deleted. More information is provided below in the section titled Data Retention Policy. The following are examples of non-PII data that the Product may associate with a user’s account:

Lesson activity and progress
Achievements and awards earned within the app
Preferences and settings for the app experience set by the user
Class rosters
School name

3. Data Storage and Retention

3.1 Data Storage

Data will be securely stored using Amazon Web Services (AWS), an industry-leading cloud service provider. AWS maintains strict security certification, including SOC 2 and ISO 27001 compliance. All data will be stored within the United States.

3.2 Data Retention Policy

The Company will retain data associated with a user only for as long as is necessary to fulfill the purpose for which the information was collected, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. When a user account is deleted (whether by request of the student, family, or school administrator) or deemed inactive, we will delete it and all associated data within a reasonable amount of time.

4. Data Encryption

4.1 Encryption in Transit

All communication with our servers will occur over secure channels. Requests from client devices will transmit data over HTTPS, which ensures data is encrypted via TLS 1.2 or higher. Our server connection has been rated an A+ from Qualys SSL Labs. Communication between different systems hosted in AWS will occur within a Virtual Private Cloud (VPC) that ensures only Company-authorized traffic is permitted and prevents data in transit from being observed by outside sources.

4.2 Encryption at Rest

The Company employs industry-standard encryption protocols to ensure that all stored data remains secure. Within AWS, we utilize services including S3 (Simple Storage Service), EBS (Elastic Block Store), and EFS (Elastic File System). All use AES-256 encryption with managed keys, ensuring that data at rest is protected.

5. Data Access and Control

5.1 Access by Company Personnel

Access to data and infrastructure for the Product will be limited to those Company employees or independent contractors whose job function requires it. Access permissions will be gated at multiple points throughout the system, including where appropriate at the object level and the API level. Only Company personnel whose job function necessitates access to our infrastructure will be granted permission to do so. Access will be logged and require multi-factor authentication (MFA).

5.2 Data Control and Modification

Parents, teachers, and school administrators will have the right to access, review, and request modifications to any of their (or, as applicable, their student/child’s) associated data. A parent or school administrator may at any time request the deletion of their child’s/student’s account and all associated data. Inquiries can be directed to support@getsuperteacher.com.

5.3 Data Return

The Company endeavors to ensure that data is handled in accordance with district or other local educational agency (“LEA”) requirements for data return, transition, and deletion. In the event of contract termination, or at the request of an LEA, data will be managed as follows, at the LEA’s option and direction:

Return to LEA or successor contractor: At the LEA’s request, the Company will make all relevant data available in a secure, digestible format. Transmission to the destination of their choosing will occur over encrypted channels to prevent risk of data leaks. (The Company makes no commitment regarding the security of the LEA’s requested transfer destination.)
Deletion from Company’s systems: Within a reasonable time following the conclusion of a contract, or at any point by the LEA’s request, all data created as part of the contract will be securely deleted from the Company’s systems, including all student accounts and any data provided to the Company by school and LEA officials. Where deletion has been requested by the LEA, confirmation will be provided to the LEA when the process is completed, which will be within 30 days of the request being made.

5.4 Third-Party Access

The Company will not sell or share personal data with third-party companies for those third party’s marketing purposes. Third-party service providers (e.g., cloud hosting, speech-to-text conversion tools, analytics tools) may have access to data solely for the purpose of supporting the Product’s functionality or analysis, and will be bound by confidentiality agreements and data protection clauses.Company’s agreements with such third-party service providers will require the service provider to make representations regarding its own data-privacy and security practices that are commensurate with those representations that Company has made in this Data Privacy and Security Plan and in its published Privacy Policy.

6. Incident Response

6.1 Incident Response Plan

The Company will follow a comprehensive incident response plan in the event of a data breach, security incident, or significant outage. Steps include:

Containment: Upon detecting a security breach, action will be taken to limit the impact. Steps may include isolating affected systems or taking components offline.
Escalation and Investigation: The Company is responsible for defining an “on-call” schedule to ensure a staff member is responsible at all times for investigation of an open incident.
Resolution: We will take prompt action to address the incident. Systems will be restored to full functioning order as quickly as reasonably practicable while ensuring data security and integrity.
Notification: The Company will notify the LEA and/or administrators of an affected school – and any other authorities as may be required by law – within a reasonable time following the identification and confirmation of any material incident by Company staff members, or as otherwise contractually obligated.
Post-Incident Review: A root cause analysis will be conducted to understand why the incident occurred, followed by implementing reasonable safeguards to prevent future incidents of a similar nature when deemed appropriate.

6.2 Backups

The Company will maintain periodic backups of its databases and other system data. These backups will ensure a timely recovery in the unlikely case of extreme data loss or corruption. All backups will be encrypted using AES-256 encryption, ensuring that backups, like the primary data, will remain secure and protected from unauthorized access during both the storage and recovery processes.

7. Internal Training and Awareness

Employees and contractors employed by the Company will receive training in the following areas where necessary to securely perform their job function:

Awareness of legal requirements governing use of the Product in a K-12 educational environment in the US
Company policy governing data access and use
Proper data handling and storage procedures
Incident reporting and response protocols
Avoiding phishing schemes and other cybersecurity threats

8. AI Systems

The Company does not use Confidential Information to train AI Systems. The Company does use some established technologies that may be considered AI Systems in providing the Services.

Automatic Speech Transcription (Speech-to-Text): Super Teacher uses automatic speech transcription technology, so that students can answer questions using their voice when using Super Teacher. After transcription, the voice recording is discarded. The voice recordings are not used to train AI Systems.
Natural Language Processing: Super Teacher uses natural language processing to parse the transcriptions of the voice recordings, so that lessons can adapt based on how students answer questions during the lesson. The transcriptions are not used to train AI Systems.
Synthetic Voice (Text-to-Speech): Super Teacher uses a synthetic voice for the teacher and other characters, and the student’s first name or nickname may be used by the synthetic voice so that student can be addressed by name. The student’s name is not used to train AI Systems.
In addition to the above use of technologies in providing the Services, Educational content creators and software engineers at Super Teacher may also use autocomplete, code completion or other AI Systems to aid in their everyday work of creating educational content or writing software code. Confidential Information is not processed by AI Systems for this, and Confidential Information is not used to train AI Systems for this.

9. Plan Review and Updates

This Data Privacy and Security Plan will be periodically reviewed by the Company. Material updates will be communicated to the LEAs and any relevant stakeholders as appropriate.