PRIVACY POLICY


Last Updated: May 1, 2020


www.pendalearning.com is owned and operated by Learning 2020, Inc. Penda Learning is a cloud-based instructional management system and configurable gaming network for educational purposes. The platform provides a full suite of instructional management tools. Students, teachers and school/district administrators can access Pendalearning.com through an account created via their school or school district’s account.


Learning 2020, Inc. respects the privacy of its users and is committed to protecting your personal data. This Privacy Policy describes Learning 2020, Inc. and Penda Learning privacy practices in relation to information that we collect through the website www.pendalearning.com, operated by us from which you are accessing this Privacy Policy (the “Main Domain”) and through the software applications made available by us for use on or through computers and mobile devices that link to this Privacy Policy (the “App”). Learning 2020, Inc. is fully compliant with the Family Educational Rights and Privacy Act of 1974, also known as the FERPA, a United States Federal regulation.


  • Learning 2020, Inc., DBA Penda Learning, is a registered corporation, FEI/EIN Number 84-2197909, with registered address: Learning 2020, Inc., 2400 SE Federal Highway, Fourth Floor, Stuart, FL. 34994

  • Penda Learning is registered with the State of Florida - Department of State: Document Number P19000050555

  • All data is held within Amazon Web Services

  • You retain full control over what data we can access

  • All data is transmitted using SSL/TLS encryption

  • Data at rest is encrypted with AES

  • All data is processed for the purpose of running Penda Learning

  • All personal data is anonymized or deleted (your choice) at the end of the school’s subscription - if we receive no instructions, we anonymize all data within 90 days


Penda Learning Data & Privacy Policy

This privacy statement covers your use of the website and related services provided by Learning 2020, Inc. (‘Penda Learning’). Specifically, this policy sets out what data is collected, how that data is used, how it is kept secure and how long it is kept. It also outlines your rights to access your data and how to contact Penda Learning for more information.

Penda Learning requires schools, districts, or teachers (on behalf of the parents or legal guardians of students under the age of 13) to provide consent for the online collection of personal information of the student under the age of 13 through Penda Learning. In order to register to use Penda Learning, students must use an access created and provided to them by their school district.

Penda Learning collects limited personal information from minor students only where that student’s school, district, or teacher has contracted with Penda Learning to collect personal information for the use and benefit of the learning environment. This information is not shared outside of the school or with

any third parties except those needed for the provision of the service as outlined in this policy. Students of any age cannot share their profiles publicly outside of their classroom or school. Teachers accessing Penda Learning on behalf of a School or District account must ensure that they provide parents with access to this privacy policy.



What data does Penda Learning require schools to share?

We require all schools to share learner first and last name, grade level, gender, date of birth, student ID number, and classes. This data is needed in order to properly provision learner accounts as well as Penda Learning services.

In addition to the above data, a school may choose to share data on the following learner characteristics: lower quartile, students of economic disadvantage, English limited language, students with disabilities, and ethnicity status. This data is needed to allow filtering and analysis based on these learner characteristics. Specifically, for schools on a Response To Intervention (RTI) contract, this includes enabling advanced functionality as listed:

  • Advanced learner data filters for progress-monitoring enabled

  • Teacher/school admin detailed customized reports enabled, including an intervention-focus report

Teachers and school admin who wish to use Penda Learning are required to share their first and last name, job title and email address. This data is needed in order to properly provision teacher/admin accounts as well as Penda Learning services.

We also store the address and contact details of the school.


How is this data gathered by Penda Learning?

Learner data is shared one of three ways over which the district and/or school has full control:

  • A District/School Admin manually uploading a data file to our secure servers by SSL 3.3/TLS 1.2 encryption

  • A District/School IT Manager authorizing, installing and provisioning a custom student information system (SIS) application that, once setup, automatically syncs via SFTP to our secure servers by SSL 3.3/TLS 1.2 encryption

  • A District/School IT Manager installing and authorizing an auto data-rostering application (such as ClassLink) that, once set up, automatically syncs nightly to our secure servers by SSL 3.3/TLS 1.2 encryption.

Teacher and school admin data is inputted manually by the user as part of their registration process.


What is the lawful basis for storing this data?

This data is required for learners, teachers and school admin to be able to use the Penda Learning platform for intervention support, supplemental curriculum support, classroom use and homework, in accordance with the school’s contractual agreement with Penda Learning.


Where and how is this data stored?

The data is stored on Penda Learning’s servers in data centers in Virginia, USA, provided by Amazon Web Services (AWS). AWS data centers are compliant with the international information security standard, ISO 27001.

For more information about AWS’s ISO 27001 certification, please visit this webpage.

For more information about AWS security, please visit this webpage.

In choosing AWS to store data, Penda Learning is subject to its Shared Responsibility Model. The division of these responsibilities and how Penda Learning specifically meets those responsibilities as an AWS customer is outlined below:

Responsibility of Penda Learning

Responsibility of Amazon Web Services

Preventing or detecting when an AWS account has been compromised:

  • Multi-factor authorization is enabled

  • Access key IDs and secret access keys are used in managing authorized access to Penda Learning’s AWS account

  • Change-monitoring software is in place to detect unauthorized access

x

Preventing or detecting a privileged or regular AWS user behaving in an insecure manner

  • Individual identities used to enable monitoring of each user’s behavior by system administrators

  • Internal ISMS (Information Security Management System) in place, controlling access and permissions for each user

  • On-boarding and off-boarding protocols in place, controlling set-up and removal of users

  • Credentials deactivated the same day as a user leaves the company

x

 Configuring AWS services (except AWS Managed Services) in a secure manner:

  • TLS (Transport Layer Security): the Penda Learning platform is accessible only over SSL 3.3/TLS 1.2 encrypted connections

  • Only specific IPs configured/authorized can access AWS server

  • File System Encryption: keys and passwords are kept in an unreadable, encrypted closed format

  • Platform, Applications, Identity and Access Management: maintenance and protection of the platform running on the cloud, and all aspects that fall under that

 x

 Restricting access to AWS services or custom applications to only those users who require it

  • Customer Data Protection: only authorized users can access the data using the Penda Learning platform and only within the authorized scope (e.g the school)

  • Network Traffic Protections: only authorized IPs can access the AWS server

 x

Updating Guest Operating Systems and applying security patches

  • Security patches and updates are monitored by system administrators and applied regularly

 Ensuring AWS and custom applications are being used in a manner compliant with internal and external policies

  • All processes carried out by Penda Learning using AWS have been audited for FERPA compliance

  • All processes carried out by Penda Learning using AWS are in accordance with the AWS terms of use

 x

 x

 Ensuring network security (DoS, MITM, port scanning)

  • Protection against MITM is provided by Penda Learning’s SSL connections

  • AWS internal machines are not exposed to port scanning

  • In a Denial of Service situation, the server would become temporarily inaccessible without data loss

 x

 x

 Configuring AWS Managed Services in a secure manner

 x

 Providing physical access control to hardware/software

 x

 Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters

 x

 Database patching

 x

 Protecting against AWS zero day exploits and other vulnerabilities

 x

Business continuity management (availability, incident response)

 

x

Penda Learning and your school work together to protect the online privacy of all of your school community members that use Penda Learning, including students, teachers, and school/district administrators. This privacy policy and Penda Learning’s information collection and security practices have been authorized by your school or teacher, and Penda Learning strives to manage your school's internet services in a secure manner. For example, Penda Learning uses industry-standard technology called SSL (Secure Socket Layer). SSL encrypts information transmitted across the internet to and from Penda Learning. You will know that SSL is working when you see the presence of an image of a closed lock or solid key in the bottom bar of your browser window. Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure and “hacker-proof,” and Penda Learning cannot ensure or warrant the security of any information managed by the site, whether transmitted to Penda Learning by you, your school, or your teacher. Penda Learning shall not be liable if a security breach occurs, if the site malfunctions, or if information is misused or mismanaged in any way to your detriment or the detriment of a third party, whether by Penda Learning, your school, your teacher, or an unauthorized third party.



Related to disaster recovery, how is data backed up?

Data is backed up daily by AWS Virginia, USA data centers. All backups are encrypted and are stored for 30-days.


How is data encrypted between the clients and your AWS servers? Which version(s) of SSL/TLS and other encryption are supported?

Data is encrypted using SSL 3.3 / TLS 1.2 encryption between clients and our AWS servers.


Are Penda Learning personnel background-checked ?

All Penda Learning personnel are background checked, including criminal history, and legal employment within the United States upon employment commencement. Additionally, all Penda Learning personnel working within schools are background-checked and finger-printed, maintained by the State of Florida. Annually, personnel are checked/verified as part of internal HR processes and Penda Learning audit processes.


Do you share our school data with any third-party organizations?

We share limited data with our customer support software, ZenDesk, including teacher and school admin’ names, school names and email addresses. This allows us to help with any technical problems or support requests quickly and easily, via email, by telephone or by an online chat system.

We do not share learner data with ZenDesk unless a learner emails us directly, in which case we store their first and last name, school name and email address. ZenDesk is based in the USA.

For information regarding ZenDesk’s Privacy Policy compliance, please visit this page.

For our digital marketing (email campaigns) system, we use MailChimp. We share limited data with MailChimp, including teacher and school admin first and last names and email addresses. This allows us to send communications regarding any platform downtime, scheduled maintenance, new features/functionality, platform enhancements, implementation strategies and support services available.

Emails contain tracking facilities within the actual email. Tracked activities include: the opening of emails; the clicking of links within the email content; times, dates and frequency of activity; how you access and view the emails (web browser version, OS version). You have the right to opt out of digital marketing (email campaigns) at any time: you can opt out using the 'Unsubscribe' link at the bottom of each email we send or you can email support@pendalearning.com and request to be removed. MailChimp is based in the USA.

For information regarding MailChimp’s Privacy Policy compliance, please visit this page.

For our customer relation management system, we use Solve360 and store a history of your district/school’s contractual relationship with Penda Learning, including subscription history, product history, data upload history and a record of communications with Penda Learning. Solve360 is based in the USA.

For information regarding Solve360’s Privacy Policy compliance, please visit this page.

Four our accountancy system, we use QuickBooks by Intuit. We store school addresses, the name and email of our contacts (e.g. finance office), invoices/transactions, payment terms and payment history. Intuit is based in the USA.

For information regarding Intuit’s Privacy Policy compliance, please visit this page.


How long will the data be kept?
During the subscription period, if a learner is withdrawn, their account and all associated data is anonymized within 90 days.

All personal data is anonymized or deleted (your choice) within 90 days after the school subscription ends - if we receive no instructions, we anonymize all data within 90 days.

Upon request, we can destroy a school’s data within 24 hours.


How will the data be anonymized?
Learner, teacher and admin (school admin) data will be anonymized as follows:


Learner Accounts
Learner first names are replaced with ‘Anonymous’ and last names are replaced with ‘Learner-’ along with a random string of 6 numbers/letters. For example, Albert Einstein would become ‘Anonymous Learner-BFHPIL’. This is carried out so that we can continue to improve our understanding of program efficacy and impact evaluation, while ensuring anonymity. Below is a full listing of learner data fields and treatments applied:

Original Data

Data Treatment

User ID

Regenerated using new random DoB and Anonymized name

Password

Regenerated

Memorable question

Deleted

Memorable question answer

Deleted

Penda Learning activity scores

Retained

Penda Learning points earned

Retained

Gamification: avatar and clothes

Reset to default

Gamification: World buddies

Deleted

Original Data

Data Treatment

First Name

‘Anonymous’

Last Name

‘Learner-’ + 6-character randomized string of numbers and/or letters

Grade level

Retained

Gender

Randomized

Date of birth

Randomized (with parameter that new learner age must be between 7 and 40)

Student ID number

‘Reg group-’ + 6-character randomized string of numbers and/or letters

Classes

‘Class-’ + 6-character randomized string of numbers and/or letters

  

Teacher Accounts

Teacher first names are replaced with ‘Anonymous’ and last names are replaced with ‘Teacher-’ along with a random string of 6 numbers/letters. For example, Johnny Appleseed would become ‘Anonymous Teacher-HLZWQY’. Below is a full listing of teacher data fields and treatments applied:

Original Data

Data Treatment

First Name

‘Anonymous’

Last Name

‘Teacher-’ + 6-character randomized string of numbers and/or letters

Email Address

Deleted

Subject(s)

Link between teacher and subjects deleted

Classes

‘Class-’ + 6-character randomized string of numbers and/or letters

Intervention Groups

‘Group-’ + 6-character randomized string of numbers and/or letters

Assignments

‘Task-’ + 6-character randomized string of numbers and/or letters

User ID

Regenerated using Anonymized name

Password

Regenerated

School Admin Accounts
School admin first names are replaced with ‘Anonymous’ and last names are replaced with ‘Admin-’ along with a random string of 6 numbers/letters. For example, Johnny Appleseed would become ‘Anonymous Admin-VBXMPZ’. Below is a full listing of admin account data fields and the treatments applied. Any additional teachers who have an account with admin permissions are treated the same as a standard teacher account (above).

Original Data

Data Treatment

First Name

‘Anonymous’

Last Name

‘Admin-’ + 6-character randomized string of numbers and/or letters

Job Title

Deleted

Email Address

Deleted

User ID

Retained as ‘Admin’

Password

Regenerated


On request we can delete all data, removing it from our servers completely.


What other information do you store about users once they use Penda Learning?
We store information about their use of Penda Learning.

For learners, we store their total platform usage (hours:minutes), activity history, activity scores, Penda Learning gamification points earned, gamification trophies earned, gamification avatar clothes selected and gamification Penda World buddies selected.

For teachers and school admin we store the date they last logged in, total number of logins since the beginning of the academic year, total number of assignments set, classroom intervention groups created and activities they have created using our authoring tool Activity Builder.

For the purpose of improving and enhancing its service, Penda Learning collects and analyzes data on how the platform used in the aggregate (how groups of people use Penda Learning). As true of most Web Sites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We also use tracking technologies from third party service providers (as described below) to gather information regarding the date and time of your visit and the information you interacted with. We may link this automatically-collected data to personally identifiable information. We do not share this information with third parties - for more information on third party service providers, see section below.


Information on individual usage of the system, including but not limited to individual IP addresses, may be analyzed on a case-specific basis to resolve a  technical difficulty or to assist in resolving or investigating any misuse of the service; also, such individual usage information may be furnished to your school if your school requests such information to assist in the investigation of fraudulent, abusive, or criminal activity or any other use of Penda Learning that violates your school's rules or policies.



What is your policy for serious incidents such as data breaches?
Should a school or subject (user) report a serious incident, such as a data breach, or should a serious incident be identified by Penda Learning, we will notify the impacted school’s school admin and any affected subjects within 48 hours.
Following Penda Learning’s internal data breach protocol, we will work closely with all subjects impacted to minimize the incident and ensure it is fully resolved.
To report a concern or possible incident involving Penda Learning, submit a support ticket, email support@pendalearning.com or call Penda Learning Customer Support at 1-888-919-0404 Monday-Friday from 8:00am to 5:00pm. Should any issue not be resolved, they can be escalated to the Chief Executive Officer, Brad Baird, via BBaird@pendalearning.com.


What are cookies and how do you use them?

Cookies are small text files that are set by a website or app operator so that your browser or device may be recognized. Cookies track, save and store information about your interactions with and usage of a website. Penda Learning uses technologies such as cookies, beacons, tags and scripts. These technologies are used to make it easier for you to navigate our site, to store your passwords so you don’t have to enter it more than once, analyzing trends, administering the site, tracking users’ movements throughout the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.Technologies such as cookies, beacons, tags and scripts are used by Penda Learning and our tracking utility partners who provide online customer support and video management. These technologies are used to make it easier for you to navigate our site, to store your passwords so you don’t have to enter it more than once, analyzing trends, administering the site, tracking users’ movements throughout the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.


Penda Learning uses Dynatrace, which is an analytics service used to help analyze your use of our App and to improve it. We use the information we get from Dynatrace only to improve our App and our Services. Dynatrace does not share your information with any other third parties. 


Penda Learning uses Google Analytics software to monitor website behavior to enhance our service offering. This software will save a cookie to your device in order to track and monitor your engagement and usage of the website, but will not store, save or collect any personal information. You can read Google's privacy policy here for further information.


If you don’t want cookies to be stored on your device, you should make the necessary changes to your device, relevant browsers or apps.


How can access be revoked for members of staff who have left a school?
District and/or School Admin with an active Penda Learning admin account can make a member of staff inactive, which will prevent them from having access to Penda Learning.

1. Sign into the Penda Learning admin account
2. Click ‘Profile’
3. Click ‘Teacher Data’
4. Find the member of staff from the list
5. Change the corresponding bubble from ‘Active’ to ‘Inactive’
6. Click Save

On request we can delete a teacher or admin account, removing the teacher/school admin and their data from our servers completely, within 24 hours.


How can learner data be removed when the learner withdraws from the school?
If your school elected to manually upload learner data: at any time school admin with an active Penda Learning admin account can delete learner accounts using the Learners page of Penda Learning. This prevents those learners from accessing Penda Learning and immediately deletes all of that learner’s data from our servers completely.

1. Sign into the Penda Learning admin account
2. Click ‘Learners’
3. Find the learner from the list
4. Tick the corresponding checkbox next to the learner’s last name
5. Click ‘Delete Learner’ found at the bottom of the page
6. Confirm your selection
7. Click Yes

If your school elected to provision learner data via custom SIS integration or via an auto data-rostering service: during the subscription period, if a learner withdraws, their account and all associated data is automatically anonymized within 90 days.

On request we can delete the learner, removing the learner and their data from our servers completely, within 24 hours.


How can I access my data/my child's data?

Parents have the right to refuse the site further contact with their child and to have access to their child's information and to have it deleted by contacting the school administrator.

Parents have the right to consent to the site's use of the child's personal information without having to consent to its disclosure of that information to third parties by contacting the school administrator.

If you are the parent and guardian of a student using Penda Learning, and cease to agree with Penda Learnings terms of use and privacy policy at some point in the future, you may opt-out by contacting (a) your Subscriber (typically your school) Penda Learning administrator if you are a district account user.

If yours or your child's personally identifiable information changes, or if you no longer desire our service, you may correct, update, or delete it by Submitting a Support TIcket or by emailing Support@PendaLearning.com. Upon authenticating the subject’s identity, we will correct, update, or delete all data we hold on the subject (or organization) within 30 days.

We will retain your information for as long as your account is active or as needed to provide you services. If you wish to cancel your account or request that we no longer use your information to provide you services, contact us at SUPPORT@PENDALEARNING.COM. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.



Changes to This Privacy Policy

If we decide to change our privacy policy, we will post those changes to this privacy statement, the homepage, and other places we deem appropriate.

We reserve the right to modify this privacy statement at any time, so please review it frequently. If we make material changes to how we use your personal information or personal information collected from children under age 13, we will notify you prior to the change becoming effective, by email, by means of

notice on our home page, and parents by email in order to obtain verifiable parental consent for the new uses of the child's Personal Information if required.



Disclosure

We may disclose your or your child’s personally identifiable information in connection with business transfers and purchases. As we continue to develop our business we may buy or sell business divisions or companies, we may merge or combine with another company, or our company itself and/or all or a significant part of its assets may be acquired by another company. We may provide any information we have to a potential counter-party in any such potential transaction. If such a transaction is completed, your or your child’s personally identifiable information may be one of the transferred and shared business assets. In the event that information is shared in this manner, notice will be posted on our Site.

In this event this privacy policy will continue to apply unless we contact you and ask you to opt in to any changes before they are implemented.

We may also share de-identified and/or aggregated data with others for their own uses. 

We reserve the right to disclose your or your child's personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process served on our Web site. 



Links To Other Sites

If you click on a link to a third-party site, you will leave Penda Learning.com and be redirected to the site you selected. Because we cannot control the activities of third parties, we cannot accept responsibility for any use of your personally identifiable information by such third parties, and we cannot guarantee that they will adhere to the same privacy practices as PendaLearning.com. We encourage you to review the privacy statements of any other service provider from whom you request services. If you visit a third-party website that is linked to the PendaLearning.com site, you should read that site's privacy statement before providing any personally identifiable information.