Last updated: April 27, 2020
Requirements for Information Collection
In the United States, and other jurisdictions where applicable, before collecting any personal data (“Personal Data”) from students accessing the Services as required by or in response to invitations from Education Subscribers, we require the Education Subscriber to contractually consent to our information practices, as permitted by applicable law.
For purposes of GDPR, the Education Subscriber is the Controller and Caveon is the Processor of a student’s Personal Data. The Controller determines the legal basis, means and purposes for processing the data, and Caveon follows the directions of the Controller who sends us the data.
We collect and process the following categories of data in the process of delivering the Services to Education Subscribers:
We collect data in the following ways:
When students use the Services to take assessments or tests developed and/or administered by and for Education Subscribers, by the very nature of the usage of the Services, data is collected. We gather students’ Personal Data from the Education Subscriber, directly from the student as they interact with assessments or tests through and as part of the Services, directly from students’ devices, and directly from someone who invites users to submit data via the Services (such as a teacher or professor). Some of this collection happens when a student or Education Subscriber affirmatively submits that information. Some of our collection happens in the background – that is, it’s automatically collected when users interact with the Services (an example of the data collected this way is the information about the student’s device or connection, or the information about feature usage.).
Caveon and/or our third-party service providers also automatically collect some information using methods such as cookies. Information automatically collected may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), operating system, and date/time stamp. We use this information to deliver and support the Services. We do not use this information to deliver advertising or for any other purpose not related to the delivery and support of the services.
We may collect Personal Data about students of Education Subscribers from the Education Subscriber and authorized users of the Education Subscriber account, including Personal Data contained in “educational records,” as defined by FERPA. Caveon maintains this information on behalf and at the direction of the Education Subscriber and does not use the information for any other purposes except as permitted by FERPA and our applicable agreements with Education Subscribers.
We use Personal Data collected from and about students only as needed to deliver the functionality of the Services, operate our business, and for use by Education Subscribers at their direction as follows:
We may use all of the types of Personal Data that we collect for the following purposes, to the extent permitted by our agreements with our Education Subscriber customers:
In order to optimize provision of the Services, we may collect broad geographic location (city-level location) information about where users are located when using the Services. We use this information for service-related purposes (such as optimizing connections to our data center) and supporting compliance.
We may also use third-party service providers to help us provide the Services, and they may have limited access to Personal Data in the process. We prohibit our service providers from selling Personal Data they receive from us or on our behalf and require them to only use that Personal Data in order to perform the services we have asked of them, in accordance with written contracts with us, unless otherwise required by law.
Personal Data we collect, we collect on behalf of our Education Subscribers. (To use the technical term, we are the “Processor” of that Personal Data, acting as a service provider on behalf and at the direction of our Education Subscriber, and our Education Subscriber is the “Controller” or decisionmaker.) For an Education Subscriber subject to GDPR or similar law, the Education Subscriber determines the legal basis, means and purposes for processing student Personal Data, and instructs Caveon to process such Personal Data, including those who are children under the age 16 years (but not younger than 13).
We are required to follow an Education Subscriber’s instructions related to Personal Data we have collected on their behalf. On an Education Subscriber’s instructions, we may provide reports to the Education Subscriber containing Personal Data relating to their account and students’ use of the assessment and testing platform controlled by the Education Subscriber.
This includes responding to a legally binding demand for information, such as a warrant issued by a law enforcement entity of competent jurisdiction, or as reasonably necessary to preserve Caveon’s legal rights.
Caveon does not share Personal Data with third parties other than the service providers described above, or as required by law, except at the direction and on behalf of a Education Subscriber.
Maintaining the confidentiality, security, and integrity of students’ Personal Data is a top priority. We use industry-standard security technologies, procedures, and organizational measures designed to help protect Personal Data from unauthorized access, use, or disclosure.
Access and Deletion Rights
If a student or the parent or legal guardian of a student under the age of 18 would like to request to access, review, refuse further collection of, or delete the student’s Personal Data within the Services provided by Caveon to a corresponding Education Subscriber that required the student’s submission of such data, please contact the Education Subscriber directly. Because Caveon is required to comply with contractual confidentiality and data retention obligations related to our customers’ data, we are not able to respond to parental or student requests directly. Education Subscribers may direct requests to access, delete or restrict further collection, processing or use of a student’s Personal Data to firstname.lastname@example.org.