Privacy Policy
Effective date: May 31, 2022
Protecting the privacy of all individuals, and particularly students, using Mathspace is a priority for us. Details of how we do this are provided below.
Our Privacy Principles
- We are committed to creating a safe and secure online environment for our users.
- We strive to be as open and transparent as possible. We have endeavored to write this policy in a way that is clear and easy to navigate. It is important to us that our users can easily understand the personal information we collect about them and how we protect their privacy.
- We will never sell your personal information to third parties.
- We take the protection of your personal information very seriously, using the best of modern technology feasible for us to protect data and restrict unauthorized access to that information.
Introduction
This Privacy Policy provides important information about the privacy practices of Mathspace Inc. ("Mathspace", "us", or "we") for our website (www.mathspace.co), our associated learning tools and mobile applications.
This Privacy Policy explains how we collect, use, store and disclose the personal information you provide to us as part of your use of our services. With respect to personal information, Mathspace is referring to information which can be used to personally identify a user, such as full name, email address, school name or a photograph.
Collection of Personal Information
We take the information you provide to us very seriously, and we strive to put you in control of decisions around that information. Mathspace collects the following information about you and your use of our services:
Personal information.
When you register for, browse and/or use our services, you may provide Mathspace with "personal information" (such as your full name, email address or a photograph) that can be used to identify you. For School Users, your personal information is also presented to educators in your school or district.
Information about your use of our services and other user-provided information.
We may collect usage information about your use of certain features of our services, such as the number of problems you have attempted, the number of videos you have viewed and the amount of time spent to complete a problem. This enables us to better tailor educational experiences that are most appropriate for you.
Location information.
We may collect and use information about your location (such as your country) to provide you with tailored educational experiences for your region, but we do not collect the precise geolocation of you or your device.
Mathspace uses personal information in the following ways:
To enhance our services and the services we provide.
Mathspace uses the personal information you provide or that we collect to enhance our relationship with you and to operate, maintain, enhance and provide all of the features and services that we provide. Mathspace, for instance, remembers your recent activity so we can recommend the most appropriate content for you on your next visit.
To understand how you and other users use our services.
Mathspace uses any non-personally identifiable information that you provide or that we collect from users in an aggregated format to understand and analyze the usage trends, learning behaviors and preferences of our users, to improve the way our services work and look, and to create new features and functionality.
Ownership of Data for School Users
In addition to presenting student data within our service we provide Schools the ability to download data of student activity on our Services to a CSV file. This data is owned by the School and continues to be the property of and under the control of the School.
Data Retention and Backup
Any user may request a deletion of account details at any time. School administrators may also request a deletion of account details at any time on behalf of their School users. In such cases we will first allow the school to download any data to a CSV file for their ownership. We will then proceed to delete any personal data including names, emails and School name from our database. We will maintain deidentified transactional data for the purposes of improving our adaptive recommendations to all users which is a core part of our service.
For all account deletion requests we may continue to store data on our backup databases for a period of up to 90 days as part of our regular backup processes for restoring user data in case of emergency.
Backup Measures
- Database backups are produced daily by an automated system.
- Database backups are stored encrypted with AES-256.
- Database backups are kept up to 90 days.
- Any data requested to be deleted will be retained for the 90 days of backups only.
- Our Recovery Time Objective is 8 hours and Recovery Point Objective is 24 hours.
- Audit logs for site users are kept only for admin user transactions, and are stored permanently. The elements stored are timestamp, description of changes, and user ID, and kept as a history against each admin user and affected record.
- Audit logs are visible only to admin users. Only engineers are able to access the log storage to delete audit logs.
Our Approach to Data Security
Data security is important to you, and to us.
Mathspace uses a combination of physical, managerial and technical safeguards designed to preserve the integrity and security of your personal information and other information we store in connection with our services. For example, when you enter sensitive information, we encrypt the transmission of that information using secure socket layer technology (SSL) or similar technologies. However, no data transmissions over the internet can be guaranteed to be 100% secure. We take every precaution available to protect all data provided to us in the educational pursuit of digital content.
Mathspace uses Amazon Web Services to host our website, with personal information stored in an encrypted database. Our website is hosted in the United States.
Data Breaches
If we learn of a data security incident that compromises or appears to compromise your personal information, then we will attempt to notify you electronically so that you can take appropriate protective steps. We may also post a notice on our website if a data security incident occurs.
- Data breaches should be reported immediately to the Mathspace support team with full and accurate details of the incident, including who is reporting the incident, what type of incident it is, if the data relates to people, and how many people are involved. Contact details are [email protected] and [email protected].
- Our Data Breach Policy describes a response plan with the following stages:
- Contain the breach and make a preliminary assessment
- Evaluate risks associated with the breach
- Notification of the breach
- Review and respond to prevent future breaches
- Mathspace will immediately notify affected users and conduct an internal investigation of the breach, and remedy as appropriate. We attempt to respond quickly to any data breach through the following measures:
- Automated vulnerability scanning will immediately detect changes to files that match malware signatures.
- Daily code deployment process raises warnings for other unexpected changes to files.
Transmission of Data
All website data is transmitted over HTTPS, with preference for TLS 1.2. Please see our A+ rating with Qualys SSL Server Test: https://www.ssllabs.com/ssltest/analyze.html?d=mathspace.co.
Other protocols in place for backend processes are also always encrypted, and make use of TLS 1.2 or SSLv3.
Technical Security Architecture
Mathspace makes use of the following security architecture to insure data privacy.
- Layered defense approach to security architecture.
- CloudFlare to mitigate against DDOS attacks.
- Web application firewall to detect and prevent common web application attacks and intrusions.
- HTTPS enforced through HSTS and HSTS preload registration.
- Single-sign on for authentication is supported.
- Secured email transmission.
- Automated vulnerability scanning.
- Firewall whitelists are configured to control access to non-public servers.
- Masking and stripping of personal information whenever not strictly required.
- Data is encrypted at rest and in transmission.
- Hosting provider (Amazon Web Services) is ISO 27018 certified and verified by an independent third party assessor.
- User-based and role-based permissions are implemented to restrict access to information as appropriate.
- Penetration testing by an independent third party is conducted on a yearly basis.
Encryption and Authentication Protocols
Data at rest and data in transit
- All data is encrypted in transit and in rest.
- Database storage is encrypted with AWS RDS encryption features.
- Data in transit is secured with HTTPS/TLS 1.2, TLS 1.2 or SSLv3.
Encryption and authentication mechanisms
- All website data is transmitted over HTTPS, with preference for TLS 1.2. (Please see our A+ rating with Qualys SSL Server Test: https://www.ssllabs.com/ssltest/analyze.html?d=mathspace.co.)
- SAML 2.0 through Shibboleth 2.5.2
- Clever Instant Login through custom Django 1.9.3 integration (OAuth 2.0 Authorization Grant flow)
- OAuth 2.0 Authorization Grant flow through custom Django 1.9.3 integration
- Our SSL certificate is signed with RSA 2048 bits (SHA256withRSA). HTTPS enforced through HSTS and HSTS preload registration.
- Protocols in place for backend communication are also always encrypted, and make use of TLS 1.2 or SSLv3.
- Data at rest is encrypted with AES-256 and AWS Key Management Service (KMS) which uses a hardware security module to protect our keys.
- Passwords are stored using the PBKDF2 algorithm with a SHA256 hash and per- user salt. The work factor and algorithm used is frequently updated.
- We do not implement our own encryption or cryptography algorithms.
- SSO-enabled users are authenticated through the SSO mechanisms above - SAML 2.0 or OAuth 2.0 protocols.
- Authorization is managed through a graph-based access control (GBAC) system.
Password Authentication
- SSO-enabled users will not have passwords stored within Mathspace.
- Mathspace users without SSO have their passwords stored using the PBKDF2 algorithm with a SHA256 hash and per-user salt. The work factor and algorithm used is frequently updated.
- Passwords and other credentials are never stored or transmitted in plaintext in the database nor in logs, nor over insecure protocols.
- (SSO-enabled users will not have passwords stored within Mathspace.)
- Passwords must be at least 6 characters long.
- Passwords can’t be entirely numeric.
- Passwords may not be similar to user attributes such as first/last name or email.
- Passwords may not be one of the 1000 most common passwords. Input/Output Controls
- Input controls implemented include error reporting and handling, authorization checks, data consistency checks, and transaction logs.
- Processing controls include data validation checks, completeness checks, checksums, and versioning.
- Output controls include one-time use links, expiration-based links and output logs.
Vulnerability Assessment, Identification, Remediation and Patch Management
- System patches that are security fixes must be applied by a daily automated process.
- Systems must run automated vulnerability and malware scanning software.
- All code changes must be reviewed by another team member.
- All code changes must be scanned by a software security vulnerability scanner.
- Penetration tests performed by an external party must be conducted yearly.
- Issues arising from the above processes must be urgently attended to assess impact and appropriate prioritization
Sharing information with Third Party Service Providers
Mathspace takes great care to protect the personal information you provide to us. We do not sell your personal information to third parties.
This section explains circumstances in which we may share information with third parties.
Functional Purposes
Mathspace uses third-party service providers for customer support, to monitor our website usage, and to monitor the performance of our servers. These third party providers are required for optimal website performance and user experience. Data is not used for marketing purposes.
Advertising Optimisation Purposes
Mathspace does not advertise to any Mathspace Child Users or any individuals under the age of 18 years.
We do use third party service providers to monitor advertising which we deliver to individuals over 18 years of age. We only use these Services for attribution, analytics, market research and ad optimization.
This information is collected directly and automatically by these third parties on adult-directed pages of the website. Mathspace does not participate in these data transmissions. The information collected is anonymous and does not share personally identifiable information with these third parties.
In order to further protect the privacy of our visitors and users, Mathspace chooses not to partake in any retargeting or remarketing advertising campaigns due to the type and nature of personally identifying information collected necessary to run such marketing efforts.
Summary
Except for the purposes provided in our Privacy Policy, Mathspace WILL NOT disclose the information that it obtains from you to third parties without user’s express written permission, or where we believe, in good faith, that the law requires us to disclose the information.
Mathspace works with third party service providers with agreements that ensure that our data security and privacy requirements are protected.
Single Sign On Security Protocols
We support a few SSO protocols:
- SAML2.0 through Shibboleth 2.5.2
- SAML2.0 through Shibboleth 2.5.2
- Clever Instant Login through custom Django 1.9.3 integration (OAuth 2.0 Authorization Grant flow)
- OAuth 2.0 Authorization Grant flow through custom Django 1.9.3 integration
Secure Data Exchange
Districts integrate with Clever to sync their data. Districts send a request through Clever to add the Mathspace application, and enable Data Sharing with Mathspace. The district is able to select how much data to share. Mathspace needs teachers, students, sections and schools data, with names. Emails are recommended. Mathspace will then be able to sync the data shared through Clever Secure Sync. Data accessed from Clever is only transmitted through HTTPS/TLS 1.2 encrypted protocols. Mathspace runs a daily automated sync task, as well as can sync on demand.
Alternatively, districts may upload CSV files onto our SFTP server, which can be processed on an automated daily schedule. Districts must provide Mathspace with a public key to initiate an account. Districts must then upload complete CSV files of teachers, students, enrolments, sections and schools with ID, name and email records.
Data accessed from Clever is only transmitted through HTTPS/TLS 1.2 encrypted protocols. Data accessed from our SFTP server is only transmitted through SSL 2/3 encrypted protocols. All access to and from Mathspace servers is through encrypted protocols such as HTTPS or SSL.
Use of Cookies
To provide a personalized learning and high-quality experience for our users, we may use various technologies that automatically record certain technical information from your browser or device, including standard log files, or web beacons. This technical information may include your internet protocol (IP) address, device or browser type, internet service provider (ISP), referring or exit pages, clickstream data, operating system and the dates and times that you visit our website. We do this to better understand how our users are using our website so we can improve site functionality and the services we offer you.
Like most websites, whether or not you are a registered member, we may send one or more cookies – small text files containing a string of alphanumeric characters – to your computer. Cookies remember information about your activities on a website and enable us to provide you with a more personalized learning experience. Mathspace may use both session cookies and persistent cookies. A session cookie disappears automatically after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to our website. You can, however, remove a persistent cookie at any time. Please review your web browser "Help" file to learn the proper way to modify your cookie settings. However, without cookies you will not have access to certain services and features on our website. You will also have the option to opt out of any non-essential cookies.
Accessing or Correcting Your Personal Information
You can access the personal information we hold about you by contacting us using the details set out below (under "Contact Us"). Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will tell you why. We may also need to verify your identity when you request your personal information. If you think that any personal information we hold about you is inaccurate, please contact us and we will take reasonable steps to ensure that it is corrected.
Changes and Updates to this Privacy Policy
Our Privacy Policy may be updated periodically. Mathspace will contact users via email if any policy change diminishes privacy rights that they were entitled to prior to those policy changes. Please ensure you have added an email address to your Mathspace account if you wish to be notified of any Privacy Policy changes.
Making a Complaint
If you think we have breached any laws relating to privacy, or you wish to make a complaint about the way we have handled your personal information, you can contact us using the details set out below (under "Contact Us"). Please include your name, email address and/or telephone number and clearly describe your complaint. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.
Contact Us
Federal Compliance Statements
Children’s Online Privacy Protection Act (COPPA)
The student information provided by the district to the Company will be used only for the student’s use of the educational program. The information collected will be used strictly for educational purposes and not for any commercial purpose.
Family Educational Rights and Privacy Act (FERPA)
Mathspace complies with all requirements of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99)
Protection of Pupil Rights Amendment (PPRA)
Mathspace complies with all requirements of the PPRA.