Effective Date: 7/2021

Last Update: 8/2024

At Niswonger Online and AP Access for ALL (APAA), we prioritize minimizing the collection of data on our students and guardians to the greatest extent possible. This Privacy Policy outlines how we collect, use, disclose, and safeguard student and guardian information when your stakeholders use our program.

1. Purposeful and Minimal Data Collection and Sharing:

We are committed to gathering only the necessary information required for program participation and operation, ensuring that the data collected is limited to what is essential for providing our services effectively.  Data entry into the Niswonger Online student information system, GeniusSIS, is exclusively conducted by the collaborating local educational agency (LEA). External sharing of information is only permissible with approval from the Tennessee Department of Education (TDOE). Any information collected is utilized solely for the purpose of delivering our educational programs, resources, program communications, and support services to our participants. Any data shared is solely for reporting and data collection of the TDOE.

Data collected on each stakeholder is as follows:

• Students- Name, High School, Email Address (school email or personal), Grade Level
• Guardians- (optional) Name, Email Address
• The LEA determines which email address students use while enrolled in our courses and the decision to link guardian account(s).
  
  
  
  
  
  
  

2. Confidentiality and Security- GeniusSIS and CanvasLMS:

• We uphold strict confidentiality measures to safeguard the information collected, partnering with a national student information system, GeniusSIS, and an international learning management system, CanvasLMS. These systems uphold robust security protocols to prevent unauthorized access, disclosure, or misuse of data.
  
• All information collected on students and guardians is held within the Niswonger Online GeniusSIS and CanvasLMS (parent company Instructure Global) systems. Each party holds the following student and guardian information:

• GeniusSIS

• Student- Name, High School, Email Address (school email or personal), Grade Level
• Guardian- (optional) Name, Email Address

• CanvasLMS

• Student- Name, Email Address (school email or personal)
• Guardian- (optional) Name, Email Address
  

• CanvasLMS: Data Storage

• All of our databases are encrypted at rest with AES-256 encryption using Amazon KMS. These databases are backed up daily with a five day retention window and are configured to use auto-scaling to ensure availability. Secrets such as API keys have an additional layer of asymmetric encryption.
  
  
  
  
  
  
  

• CanvasLMS: Networking

• Canvas’ deployment is spread across three availability zones to ensure uptime. All EC2 instances and databases existing within a private subnet unreachable from the outside internet. All access to the private subnet is via a network load balancer in a public subnet. All connections within the subnets are encrypted with mTLS; all requests to the load balancer require TLS. Unencrypted connections are rejected.
  

• CanvasLMS: Infrastructure

• Canvas’ infrastructure runs exclusively on AWS. Canvas’ servers are only hosted in the US on data centers that are SOC 2 and ISO 27001 certified. Using AWS ensures the physical and network security of Canvas servers and guarantees our hardware and software are always updated with the latest patches.
  

• CanvasLMS: Monitoring

• Application and database access are logged via CloudWatch. Application and infrastructure logging is centralized in DataDog with alerts to detect anomalous usage. We store audit logs of who accesses your data in Canvas and when.
  

• GeniusSIS: Standard Agreement Security 6.5

•  [GeniusSIS]  will implement reasonable physical, administrative and technical security measures for the Subscription Service designed to: (a) protect the security and confidentiality of the Customer and Student Data; (b) protect against any anticipated threats or hazards to the security or integrity of the Subscription Service and Customer Student Data, and (c) protect against unauthorized use of or access to the Subscription Service and Customer and Student Data. Company shall also establish and maintain network and internet security procedures, protocols, security gateways and firewalls with respect to the Subscription Service and the Customer and Student Data stored therein.  With respect to any Student Data, Company’s security policies and practices are FERPA compliant,

and Company certifies that it will not make or permit unauthorized use of any information systems or records containing such Student Data, including:  change, delete or add data to any information systems or files outside the scope of designated responsibilities.

• GeniusSIS: Standard Agreement Security Infrastructure Exhibit B Subpart 8
  Genius SIS uses multiple layers of protection in its web applications.

• Firewall – Genius uses firewalls provided by AWS and/or Azure to prevent unauthorized access to the hosting environment. Typically, only ports 443 and 80 are open to the public internet, with traffic being re-routed automatically to port 443. Firewalls also provide protection against DDoS and are managed through Security Groups managed by the Genius SIS team;
• Web Application Firewall – For clients using geniussis.com subdomains, Genius uses Cloudflare as an additional layer of protection of its web applications. Cloudflare’s WAF (https://www.cloudflare.com/waf/) provides additional
• protections against many threats such as SQL Injection and bots access as well as rate limits to help prevent brute-force attacks;
• Encryption – Data is encrypted in transit using SSL and sensitive data such as passwords are encrypted at rest in the database;
• Management – Genius uses Zabbix as a monitoring tool of its servers, as well as Windows Server Update Services (WSUS) to manage the distribution of updates and hotfixes released for Microsoft products.
  

• For more information regarding GeniusSIS hosting and security, please visit geniussis.com
• For more information regarding CanvasLMS hosting and security, please visit instructure.com
  
  
  

3. Transparency and Accountability:

• We maintain transparency in our data practices, providing clear explanations of the information collected, how it is used, and the measures taken to protect it.

4. Children's Privacy (under the age of 13):

The Niswonger Online and AP Access for ALL Programs iare not intended for individuals under the age of 13, and we do not knowingly gather personal information from children under 13 years old. All Niswonger Online (grade levels 8-12) and APAA (grade levels 9-12) students are expected to be within the secondary school age range, typically between 13 and 18 years old. If an LEA serves an exceptional student under the age of 13 who needs a Niswonger Online course, that LEA must understand all COPPA laws and have specific parental consent when sharing their student information. If an LEA becomes aware that they have provided us with data regarding a child under the age of 13, and guardians did not give proper consents, the LEA should contact the APAA director immediately so steps can be taken to terminate the child’s account.

5. Continuous Improvement:

• We continuously review and refine our data collection and usage practices, striving to enhance privacy protections and minimize data exposure further.
• We periodically review and update our privacy policy to reflect changes in our practices, technology, and regulatory requirements, ensuring that our policies remain current and effective in safeguarding data privacy.
• We reserve the right to update or modify this Privacy Policy at any time. Any changes will be effective immediately upon posting the revised Privacy Policy on our website. Your continued use of the program after the posting of any changes constitutes acceptance of those changes.

6. Compliance with Regulations:

• We ensure compliance with relevant data protection regulations and laws, incorporating privacy principles into our policies and procedures to safeguard the rights and privacy of our participants.
• However, it is important to note that no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee the absolute security of your data.

7. Participant Rights:

• Participants have the right to access, correct, or request deletion of their personal information as permitted by law. We respect these rights and provide avenues for individuals to exercise control over their data.

8. Contact Us:

• For any inquiries or concerns regarding our privacy practices or to exercise your rights regarding your data, please contact us using the provided contact information:
  Executive Director- Gina Pavlovich
  gpavlovich@niswongerfoundation.org

By participating in Niswonger Online and APAA programs, you acknowledge and consent to the terms outlined in this privacy policy.

FERPA Compliance Statement

At Niswonger Online and APAA, we are committed to ensuring compliance with the Family Educational Rights and Privacy Act (FERPA), a federal law designed to protect the privacy of student education records. As such, we adhere to the following principles:

• Confidentiality of Student Records: We maintain the confidentiality of student education records and only disclose such records as permitted by FERPA or with the written consent of the eligible student or parent/guardian, as applicable.
• Access to Education Records: Eligible students and parents/guardians have the right to access and review the student's Niswonger Online/ APAA records upon request. We provide mechanisms for such access in accordance with FERPA requirements.
• Amendment of Education Records: If a student or parent/guardian believes that the student's Niswonger Online or APAA education records contain inaccurate or misleading information, they have the right to request the amendment of such records. We facilitate the process of requesting and reviewing amendments in compliance with FERPA guidelines.
• Disclosure of Education Records: We disclose education records only to authorized individuals or entities as permitted by FERPA, including school officials with legitimate educational interests, other schools to which a student is transferring, and certain government agencies such as the TDOE.
• Data Security: We implement appropriate measures to safeguard the security and confidentiality of student education records, ensuring protection against unauthorized access, disclosure, or alteration.
• Training and Awareness: We provide training and resources to our staff members to ensure their understanding of FERPA requirements and their responsibilities in maintaining compliance with the law.
  
  
  
  
  
• FERPA Compliance Officer: The Niswonger Online/ APAA Executive Director is the designated  FERPA Compliance Officer responsible for overseeing our compliance efforts, addressing inquiries related to FERPA, and ensuring adherence to FERPA regulations.

By adhering to these principles and maintaining compliance with FERPA, we demonstrate our commitment to protecting the privacy rights of students and their families while supporting Tennessee LEAs and their educational endeavors.