PRIVACY POLICY


Penda Learning respects the privacy of its users and is committed to protecting your personal data. This privacy policy explains how we do this, and how it applies to your use of Penda Learning’s website and services. Penda Learning is fully compliant with the Family Educational Rights and Privacy Act of 1974, also known as the FERPA, a United States Federal regulation.


  • Learning 2020, Inc., DBA Penda Learning, is a registered corporation, FEI/EIN Number 84-2197909, with registered address: Learning 2020, Inc., 2400 SE Federal Highway, Fourth Floor, Stuart, FL. 34994

  • Penda Learning is registered with the State of Florida - Department of State: Document Number P19000050555

  • All data is held within Amazon Web Services

  • You retain full control over what data we can access

  • All data is transmitted using SSL/TLS encryption

  • Data at rest is encrypted with AES

  • All data is processed for the purpose of running Penda Learning

  • All personal data is anonymized or deleted (your choice) at the end of the school’s subscription - if we receive no instructions, we anonymize all data within 90 days


Downloads


Penda Learning Data & Privacy Policy

This privacy statement covers your use of the website and related services provided by Learning 2020, Inc. (‘Penda Learning’). Specifically, this policy sets out what data is collected, how that data is used, how it is kept secure and how long it is kept. It also outlines your rights to access your data and how to contact Penda Learning for more information.


What data does Penda Learning require schools to share?

We require all schools to share learner first and last name, grade level, gender, date of birth, student ID number, and classes. This data is needed in order to properly provision learner accounts as well as Penda Learning services.

In addition to the above data, a school may choose to share data on the following learner characteristics: lower quartile, students of economic disadvantage, English limited language, students with disabilities, and ethnicity status. This data is needed to allow filtering and analysis based on these learner characteristics. Specifically, for schools on a Response To Intervention (RTI) contract, this includes enabling advanced functionality as listed:

  • Advanced learner data filters for progress-monitoring enabled

  • Teacher/school admin detailed customized reports enabled, including an intervention-focus report

Teachers and school admin who wish to use Penda Learning are required to share their first and last name, job title and email address. This data is needed in order to properly provision teacher/admin accounts as well as Penda Learning services.

We also store the address and contact details of the school.


How is this data gathered by Penda Learning?

Learner data is shared one of three ways over which the district and/or school has full control:

  • A District/School Admin manually uploading a data file to our secure servers by SSL 3.3/TLS 1.2 encryption (see Penda Learning - Data Sharing Agreement).

  • A District/School IT Manager authorizing, installing and provisioning a custom student information system (SIS) application that, once setup, automatically syncs via SFTP to our secure servers by SSL 3.3/TLS 1.2 encryption (see Penda Learning - Data Sharing Agreement).

  • A District/School IT Manager installing and authorizing an auto data-rostering application (such as ClassLink) that, once set up, automatically syncs nightly to our secure servers by SSL 3.3/TLS 1.2 encryption.

Teacher and school admin data is inputted manually by the user as part of their registration process.


What is the lawful basis for storing this data?

This data is required for learners, teachers and school admin to be able to use the Penda Learning platform for intervention support, supplemental curriculum support, classroom use and homework, in accordance with the school’s contractual agreement with Penda Learning.


Where and how is this data stored?

The data is stored on Penda Learning’s servers in data centers in Ireland, provided by Amazon Web Services (AWS). AWS data centers are compliant with the international information security standard, ISO 27001.

For more information about AWS’s ISO 27001 certification, please visit this webpage.

For more information about AWS security, please visit this webpage.

In choosing AWS to store data, Penda Learning is subject to its Shared Responsibility Model. The division of these responsibilities and how Penda Learning specifically meets those responsibilities as an AWS customer is outlined below:

Responsibility of Penda Learning

Responsibility of Amazon Web Services

Preventing or detecting when an AWS account has been compromised:

  • Multi-factor authorization is enabled

  • Access key IDs and secret access keys are used in managing authorized access to Penda Learning’s AWS account

  • Change-monitoring software is in place to detect unauthorized access

x

Preventing or detecting a privileged or regular AWS user behaving in an insecure manner

  • Individual identities used to enable monitoring of each user’s behavior by system administrators

  • Internal ISMS (Information Security Management System) in place, controlling access and permissions for each user

  • On-boarding and off-boarding protocols in place, controlling set-up and removal of users

  • Credentials deactivated the same day as a user leaves the company

x

 Configuring AWS services (except AWS Managed Services) in a secure manner:

  • TLS (Transport Layer Security): the Penda Learning platform is accessible only over SSL 3.3/TLS 1.2 encrypted connections

  • Only specific IPs configured/authorized can access AWS server

  • File System Encryption: keys and passwords are kept in an unreadable, encrypted closed format

  • Platform, Applications, Identity and Access Management: maintenance and protection of the platform running on the cloud, and all aspects that fall under that

 x

 Restricting access to AWS services or custom applications to only those users who require it

  • Customer Data Protection: only authorized users can access the data using the Penda Learning platform and only within the authorized scope (e.g the school)

  • Network Traffic Protections: only authorized IPs can access the AWS server

 x

Updating Guest Operating Systems and applying security patches

  • Security patches and updates are monitored by system administrators and applied regularly

 Ensuring AWS and custom applications are being used in a manner compliant with internal and external policies

  • All processes carried out by Penda Learning using AWS have been audited for FERPA compliance

  • All processes carried out by Penda Learning using AWS are in accordance with the AWS terms of use

 x

 x

 Ensuring network security (DoS, MITM, port scanning)

  • Protection against MITM is provided by Penda Learning’s SSL connections

  • AWS internal machines are not exposed to port scanning

  • In a Denial of Service situation, the server would become temporarily inaccessible without data loss

 x

 x

 Configuring AWS Managed Services in a secure manner

 x

 Providing physical access control to hardware/software

 x

 Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters

 x

 Database patching

 x

 Protecting against AWS zero day exploits and other vulnerabilities

 x

Business continuity management (availability, incident response)

 

x

Related to disaster recovery, how is data backed up?

Data is backed up daily by AWS Ireland data centers. All backups are encrypted and are stored for 30-days.


How is data encrypted between the clients and your AWS servers? Which version(s) of SSL/TLS and other encryption are supported?

Data is encrypted using SSL 3.3 / TLS 1.2 encryption between clients and our AWS servers.


Are Penda Learning personnel background-checked ?

All Penda Learning personnel are background checked, including criminal history, and legal employment within the United States upon employment commencement. Additionally, all Penda Learning personnel working within schools are background-checked and finger-printed, maintained by the State of Florida. Annually, personnel are checked/verified as part of internal HR processes and Penda Learning audit processes.


Do you share our school data with any third-party organizations?

We share limited data with our customer support software, ZenDesk, including teacher and school admin’ names, school names and email addresses. This allows us to help with any technical problems or support requests quickly and easily, via email, by telephone or by an online chat system.

We do not share learner data with ZenDesk unless a learner emails us directly, in which case we store their first and last name, school name and email address. ZenDesk is based in the USA.

For information regarding ZenDesk’s Privacy Policy compliance, please visit this page.

For our digital marketing (email campaigns) system, we use MailChimp. We share limited data with MailChimp, including teacher and school admin first and last names and email addresses. This allows us to send communications regarding any platform downtime, scheduled maintenance, new features/functionality, platform enhancements, implementation strategies and support services available.

Emails contain tracking facilities within the actual email. Tracked activities include: the opening of emails; the clicking of links within the email content; times, dates and frequency of activity; how you access and view the emails (web browser version, OS version). You have the right to opt out of digital marketing (email campaigns) at any time: you can opt out using the 'Unsubscribe' link at the bottom of each email we send or you can email support@pendalearning.com and request to be removed. MailChimp is based in the USA.

For information regarding MailChimp’s Privacy Policy compliance, please visit this page.

For our customer relation management system, we use Solve360 and store a history of your district/school’s contractual relationship with Penda Learning, including subscription history, product history, data upload history and a record of communications with Penda Learning. Solve360 is based in the USA.

For information regarding Solve360’s Privacy Policy compliance, please visit this page.

Four our accountancy system, we use Sage. We store school addresses, the name and email of our contacts (e.g. finance office), invoices/transactions, payment terms and payment history. Sage is based in the USA.

For information regarding Sage’s Privacy Policy compliance, please visit this page.

Four our accountancy system, we use Sage. We store school addresses, the name and email of our contacts (e.g. finance office), invoices/transactions, payment terms and payment history. Sage is based in the USA.

For information regarding Sage’s Privacy Policy compliance, please visit this page.


How long will the data be kept?
During the subscription period, if a learner becomes withdraws, their account and all associated data is anonymized within 90 days.

All personal data is anonymized or deleted (your choice) within 90 days after the school subscription ends - if we receive no instructions, we anonymize all data within 90 days.

Upon request, we can destroy a school’s data within 24 hours.


How will the data be anonymized?
Learner, teacher and admin (school admin) data will be anonymized as follows:


Learner Accounts
Learner first names are replaced with ‘Anonymous’ and last names are replaced with ‘Learner-’ along with a random string of 6 numbers/letters. For example, Albert Einstein would become ‘Anonymous Learner-BFHPIL’. This is carried out so that we can continue to improve our understanding of program efficacy and impact evaluation, while ensuring anonymity. Below is a full listing of learner data fields and treatments applied:

Original Data

Data Treatment

User ID

Regenerated using new random DoB and Anonymized name

Password

Regenerated

Memorable question

Deleted

Memorable question answer

Deleted

Penda Learning activity scores

Retained

Penda Learning points earned

Retained

Gamification: avatar and clothes

Reset to default

Gamification: World buddies

Deleted

Original Data

Data Treatment

First Name

‘Anonymous’

Last Name

‘Learner-’ + 6-character randomized string of numbers and/or letters

Grade level

Retained

Gender

Randomized

Date of birth

Randomized (with parameter that new learner age must be between 7 and 40)

Student ID number

‘Reg group-’ + 6-character randomized string of numbers and/or letters

Classes

‘Class-’ + 6-character randomized string of numbers and/or letters

  

Teacher Accounts

Teacher first names are replaced with ‘Anonymous’ and last names are replaced with ‘Teacher-’ along with a random string of 6 numbers/letters. For example, Johnny Appleseed would become ‘Anonymous Teacher-HLZWQY’. Below is a full listing of teacher data fields and treatments applied:

Original Data

Data Treatment

First Name

‘Anonymous’

Last Name

‘Teacher-’ + 6-character randomized string of numbers and/or letters

Email Address

Deleted

Subject(s)

Link between teacher and subjects deleted

Classes

‘Class-’ + 6-character randomized string of numbers and/or letters

Intervention Groups

‘Group-’ + 6-character randomized string of numbers and/or letters

Assignments

‘Task-’ + 6-character randomized string of numbers and/or letters

User ID

Regenerated using Anonymized name

Password

Regenerated

School Admin Accounts
School admin first names are replaced with ‘Anonymous’ and last names are replaced with ‘Admin-’ along with a random string of 6 numbers/letters. For example, Johnny Appleseed would become ‘Anonymous Admin-VBXMPZ’. Below is a full listing of admin account data fields and the treatments applied. Any additional teachers who have an account with admin permissions are treated the same as a standard teacher account (above).

Original Data

Data Treatment

First Name

‘Anonymous’

Last Name

‘Admin-’ + 6-character randomized string of numbers and/or letters

Job Title

Deleted

Email Address

Deleted

User ID

Retained as ‘Admin’

Password

Regenerated


On request we can delete all data, removing it from our servers completely.


What other information do you store about users once they use Penda Learning?
We store information about their use of Penda Learning.

For learners, we store their total platform usage (hours:minutes), activity history, activity scores, Penda Learning gamification points earned, gamification trophies earned, gamification avatar clothes selected and gamification Penda World buddies selected.

For teachers and school admin we store the date they last logged in, total number of logins since the beginning of the academic year, total number of assignments set, classroom intervention groups created and activities they have created using our authoring tool Activity Builder.


What is your policy for serious incidents such as data breaches?
Should a school or subject (user) report a serious incident, such as a data breach, or should a serious incident be identified by Penda Learning, we will notify the impacted school’s school admin and any affected subjects within 48 hours.

Following Penda Learning’s internal data breach protocol, we will work closely with all subjects impacted to minimize the incident and ensure it is fully resolved.
To report a concern or possible incident involving Penda Learning, submit a support ticket, email support@pendalearning.com or call Penda Learning Customer Support at 1-888-919-0404 Monday-Friday from 8:00am to 5:00pm. Should any issue not be resolved, they can be escalated to the Chief Executive Officer, Brad Baird, via BBaird@pendalearning.com.


What are cookies and how do you use them?

Cookies are small text files that are set by a website or app operator so that your browser or device may be recognized. Cookies track, save and store information about your interactions with and usage of a website.

Penda Learning uses cookies to optimize your experience on our website and provide you with a more tailored, improved experience. Penda Learning uses Google Analytics software to monitor website behavior to enhance our service offering. This software will save a cookie to your device in order to track and monitor your engagement and usage of the website, but will not store, save or collect any personal information. You can read Google's privacy policy here for further information.

If you don’t want cookies to be stored on your device, you should make the necessary changes to your device, relevant browsers or apps.


How can access be revoked for members of staff who have left a school?
District and/or School Admin with an active Penda Learning admin account can make a member of staff inactive, which will prevent them from having access to Penda Learning.

1. Sign into the Penda Learning admin account
2. Click ‘Profile’
3. Click ‘Teacher Data’
4. Find the member of staff from the list
5. Change the corresponding bubble from ‘Active’ to ‘Inactive’
6. Click Save

On request we can delete a teacher or admin account, removing the teacher/school admin and their data from our servers completely, within 24 hours.


How can learner data be removed when the learner withdraws from the school?
If your school elected to manually upload learner data: at any time school admin with an active Penda Learning admin account can delete learner accounts using the Learners page of Penda Learning. This prevents those learners from accessing Penda Learning and immediately deletes all of that learner’s data from our servers completely.

1. Sign into the Penda Learning admin account
2. Click ‘Learners’
3. Find the learner from the list
4. Tick the corresponding checkbox next to the learner’s last name
5. Click ‘Delete Learner’ found at the bottom of the page
6. Confirm your selection
7. Click Yes

If your school elected to provision learner data via custom SIS integration or via an auto data-rostering service: during the subscription period, if a learner withdraws, their account and all associated data is automatically anonymized within 90 days.

On request we can delete the learner, removing the learner and their data from our servers completely, within 24 hours.


How can I access my data?

A Subject Access request can be made by submitting a support ticket or by emailing support@pendalearning.com. Upon authenticating the subject’s identity, we will provide all data we hold on the subject (or organization) in a spreadsheet, within 30 days.