ActiveLearningLabs - Data Security & Privacy Plan

ActiveLearningLabs is committed to safeguarding the privacy and security of personally identifiable information (PII) belonging to students, teachers, and educational partners. Our practices are aligned with the NIST Cybersecurity Framework v1.1, which provides a structured approach to identifying, protecting, detecting, responding to, and recovering from cybersecurity risks.

In addition, ActiveLearningLabs maintains CASA (Cloud Application Security Assessment) certification, demonstrating independent verification of our controls related to secure development, cloud architecture, and operational security.

We comply with FERPA, COPPA, and state student data privacy laws in all districts we serve.

Categories of Data Collected

ActiveLearningLabs collects only the data necessary to provide interactive learning services.

  • Student Data

    • First and last name

    • Student email (for account login)

    • ActiveLearningLabs generated information

      • Activity start and end times

      • Scores, completion status, and number of attempts

      • Student-generated responses (e.g., worksheet inputs, writing activities)

      • Pre and Post survey answers

      • Activity ratings

  • Teacher Data

    • First and last name

    • Email address (for login, classroom setup, and communications)

  • System Metadata

    • Login timestamps

    • Activities accessed and completed

    • Engagement analytics (time on task, attempts per item)

    • Collaboration scores for team-based activities.

We do not collect:

  • Social Security numbers

  • Financial information

  • Biometric or health data

  • Geolocation data

  • Parent/guardian data

 

Administrative, Operational, and Technical Safeguards

ActiveLearningLabs employs a layered security approach to protect all personally identifiable information (PII) and education records entrusted to us. Our safeguards include administrative policies, operational processes, and technical controls designed to prevent unauthorized access, ensure confidentiality and integrity, and maintain system availability.

Encryption

  • In Transit: All data transmitted between client devices, application servers, and databases is encrypted using Transport Layer Security (TLS) 1.2 or higher. This prevents interception or tampering of sensitive information during transmission.

  • At Rest: All PII stored in our databases is encrypted using AES-256 bit encryption, a U.S. government–recognized standard for protecting classified information. Encryption keys are managed securely and rotated in line with best practices.

Access Control

  • Role-Based Access: Access to PII is granted strictly according to defined roles and responsibilities. Staff may only access the minimum data necessary to perform their duties, following the principle of least privilege.

  • Authentication: Administrative access to production systems requires multi-factor authentication (MFA), reducing the risk of credential compromise. MFA is enforced for engineers, administrators, and other staff with elevated privileges.

  • Periodic Review: User access rights are reviewed on a quarterly basis, and accounts are promptly deactivated when staff leave the organization or no longer require access.

Network and Infrastructure Security

  • Hosting Environment: ActiveLearningLabs is hosted in secure cloud infrastructure (e.g., Amazon Web Services), leveraging data centers that are SOC 2 and ISO 27001 certified. These certifications validate the provider’s physical and logical security practices.

  • Perimeter Security: Firewalls, network segmentation, and intrusion detection/prevention systems are employed to safeguard against unauthorized access and malicious traffic.

  • Patch Management: Operating systems, databases, and application components are patched regularly according to a defined vulnerability management process. Critical patches are applied on an accelerated schedule.

Monitoring & Logging

  • System Logging: Comprehensive logs record system activity, including authentication events, administrative actions, and application errors.

  • Monitoring: Automated monitoring tools provide real-time visibility into system performance, availability, and security. Alerts are triggered for suspicious activity such as repeated failed login attempts or unusual data access patterns.

CASA Certification

  • ActiveLearningLabs has achieved CASA (Cloud Application Security Assessment) certification, which involves an independent evaluation of our application security, cloud hosting architecture, and operational practices.

  • The CASA assessment validates compliance with industry-recognized controls, including secure software development, identity management, encryption, and incident response.

  • Annual reassessments ensure that our practices remain current with evolving security threats and regulatory requirements.

Employee Training & Subcontractor Oversight

  • Training

    • All employees undergo onboarding training on FERPA, COPPA, and data security best practices.

    • Annual refresher training covers phishing, incident response, and secure data handling.

  • Subcontractors

    • Subprocessors (e.g., hosting providers, SSO platforms) are reviewed for compliance with industry security standards.

    • Contracts require subcontractors to meet or exceed the same privacy and security standards as ActiveLearningLabs.

Data Breach & Incident Response

ActiveLearningLabs maintains a documented process for identifying, investigating, and responding to any actual or suspected data security incidents involving personally identifiable information (PII). While we do not operate automated monitoring tools, we employ structured manual reviews and administrator checks to help ensure the security of our systems.

Identification

  • Security incidents may be identified through manual review of system logs, user reports, or alerts from hosting providers.

  • Staff are trained to escalate any unusual activity or concerns about potential unauthorized access.

Notification

  • If a confirmed breach of PII occurs, affected educational agencies will be notified within 72 hours (or sooner if required by applicable law).

  • Notifications will include a description of the incident, the categories of data affected, and the corrective actions being taken.

Containment and Remediation

  • Access credentials are immediately reset or revoked if misuse is suspected.

  • Affected systems may be temporarily taken offline to prevent further unauthorized activity.

  • Engineering staff conduct a root cause analysis and apply security fixes before restoring normal service.

Communication

  • Districts receive written updates throughout the investigation process.

  • Once the incident is resolved, a final incident report is provided that outlines the timeline, impact, and remediation steps.

Post-Incident Review

  • Following any incident, ActiveLearningLabs documents lessons learned and updates internal procedures to reduce the likelihood of recurrence.

  • Findings from post-incident reviews are incorporated into staff training and technical practices.

Data Retention & Secure Destruction

  • Data is retained only for as long as necessary to provide contracted services.

  • At contract termination or upon district request:

    • Data is exported securely to the district.

    • Records are permanently deleted from ActiveLearningLabs systems using NIST-approved sanitization methods.

Alignment with NIST Cybersecurity Framework v1.1

ActiveLearningLabs structures its security program around the five core functions of the NIST Cybersecurity Framework (CSF v1.1). While we are a lean organization, we have adopted practical and meaningful safeguards under each function to ensure the confidentiality, integrity, and availability of student and teacher information.

  • Identify: Maintain inventories of systems and data, conduct annual risk reviews, and assign clear data protection responsibilities.

  • Protect: Use role-based access, encrypt data in transit and at rest, train staff annually, and enforce confidentiality agreements.

  • Detect: Keep activity logs and perform periodic manual reviews to identify unusual activity.

  • Respond: Follow a written incident response plan, notify districts within 72 hours of a confirmed breach, and take steps to contain and remediate issues.

  • Recover: Maintain encrypted backups, test restoration processes, and communicate with districts during recovery efforts.

Governance & Compliance

  • This Data Security & Privacy Plan is reviewed annually by ActiveLearningLabs’ leadership and the designated Data Protection Officer to ensure it remains current with evolving laws, district requirements, and industry best practices.

  • Any significant updates are communicated to partner districts and are available upon request.

  • ActiveLearningLabs complies with all applicable student data privacy laws and regulations, including FERPA, COPPA, and relevant state-specific privacy acts.

  • ActiveLearningLabs has achieved CASA (Cloud Application Security Assessment) certification, which provides independent validation that our security and privacy practices meet rigorous industry standards for cloud-based educational applications.

  • We also comply with contractual data privacy requirements outlined in district agreements, ensuring consistency between our practices and local educational agency policies.

  • Questions or concerns about compliance may be directed to the Data Protection Officer, who serves as the primary contact for privacy and security matters.

Data Protection Officer
ActiveLearningLabs

info@activelearninglabs.com

866.921.9592

Facebook Instagram Linkedin
Schedule A FREE Demo
Contact Us
866.921.9592
info@activelearninglabs.com

SCHOOL YARD CT, DAMASCUS. 20872

Montgomery, MD, United States

Our Products

© 2025 - ActiveLearningLabs LLC. All Rights Reserved

Privacy Policy
|
Terms of Service
|
Data Security & Privacy Plan
Scroll to Top