Data Privacy
We’re committed to data privacy and best cybersecurity practices to protect the personal information of every student, educator, and school using our testing platform.
With BrightShift Student Privacy Matters
Empowering Safe and Connected Learning Environments
BrightShift is a proud member of Access 4 Learning. A4L is the only global community of educational policymakers, marketplace product and service providers and the customers working together to address learning information and privacy concerns.
Safeguarding Children's Privacy Online
BrightShift strictly adheres to the Children’s Online Privacy Protection Act (COPPA), ensuring that the personal information of children under 13 is protected with the highest standards. By implementing age-appropriate measures and parental consent protocols, we maintain a secure environment where young learners can thrive without compromising their privacy.
Ensuring Student Privacy in Education
BrightShift is fully compliant with the Family Educational Rights and Privacy Act (FERPA), a federal law designed to protect the privacy of student education records. Our platform allows schools and educators to manage and share data responsibly, providing students and their families with the confidence that their educational information is handled with care and confidentiality.
Supporting the Rights of Students with Disabilities
BrightShift is committed to the Individuals with Disabilities Education Act (IDEA), which ensures that students with disabilities receive a free and appropriate public education. Our platform supports schools in meeting IDEA requirements by offering tools and resources that facilitate individualized learning plans, helping every student achieve their full potential in an inclusive setting.
Respecting Parental Rights in Education
BrightShift honors the Protection of Pupil Rights Amendment (PPRA), a law that upholds the rights of parents in the educational process. We ensure that parents are fully informed and can consent to their child’s participation in surveys, evaluations, or any activities involving the collection of personal information, fostering a transparent and respectful educational environment.
Meeting Industry Standards for Data Security
SOC 2 Compliance
SOC 2 was created by the American Institute of Certified Public Accountants (AICPA) to help organizations’ security and minimize security risks. BrightShift is a SOC2-compliant organization.
BrightShift meets the rigorous requirements of SOC 2 compliance, reflecting our commitment to maintaining the highest levels of data security and privacy. Through continuous monitoring and proactive risk management, we ensure that our systems and processes safeguard sensitive information, giving our clients peace of mind that their data is protected against unauthorized access.
Data Privacy Agreements & Standards By State
Arizona
BrightShift has entered into agreements with several schools in Arizona to provide digital educational services under the terms outlined in their data privacy agreements.
The Data Confidentiality and Security Agreement (the “Data Agreement”) establishes the framework for BrightShift’s access to confidential records, data, and information pertaining to students and employees of the District. In agreeing to this Data Agreement, BrightShift commits to adhering to all relevant state and federal laws governing the receipt, review, storage, and transmission of data received from the District. This agreement complements any existing agreements between the parties for goods or services, ensuring that all data shared remains secure and confidential.
All records and information accessed by BrightShift, referred to as Covered Data and Information (CDI), encompass student education records and other sensitive data. BrightShift agrees to use CDI solely for fulfilling its obligations as outlined in the underlying agreement and must maintain strict confidentiality regarding this information. The agreement specifies that any use or disclosure of CDI is prohibited unless authorized by the District, required by law, or explicitly permitted in writing. To safeguard CDI, BrightShift is required to employ advanced encryption protocols for data in transit and at rest and to implement robust administrative, technical, and physical security measures.
In the event of a data breach or unauthorized disclosure, BrightShift must promptly report such incidents to the District within one day of discovery, providing detailed information about the breach and the steps taken to mitigate its impact. Additionally, BrightShift agrees to reimburse the District for any costs incurred due to investigations or responses related to breaches. Upon the conclusion of services or termination of the agreement, BrightShift is obligated to securely destroy all CDI in its possession within 30 days, ensuring that no unauthorized access to this information occurs during disposal.
This Data Agreement is governed by the laws of Arizona and establishes that the District retains ownership of all CDI, affirming that any such data is confidential and proprietary. The District has the authority to cancel the agreement for potential conflicts of interest and reserves the right to take appropriate action in the event of any breach, including termination of services if necessary. The provisions of this agreement will continue to be binding even after the conclusion of services, ensuring ongoing protection for the confidentiality and security of the District’s data.
California
BrightShift has entered into agreements with several schools in California to provide digital educational services under the terms outlined in their data privacy agreements.
The Data Confidentiality and Security Agreement (the “Data Agreement”) between BrightShift and Local Educational Agency (LEA) establishes critical safeguards for protecting personally identifiable information and other regulated data shared during the provision of educational or digital services. These services may include cloud-based storage and management of pupil records, as well as digital educational software that grants BrightShift access to such records. Both parties acknowledge their obligations under relevant federal laws, including the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and the Children’s Online Privacy Protection Act (COPPA), as well as California-specific regulations such as the Student Online Personal Information Protection Act (SOPIPA) and California Assembly Bill 1584 (AB 1584).
The Data Agreement emphasizes strict confidentiality, prohibiting BrightShift from disclosing any Student Data without LEA authorization, except in certain circumstances such as legal subpoenas or to subprocessors performing services on behalf of BrightShift. Additionally, BrightShift must ensure that all Student Data is stored within the United States and is obligated to provide a list of storage locations upon request from the LEA. The LEA is entitled to conduct audits of BrightShift’s security and privacy measures no more than once a year or after any unauthorized access incident, ensuring that BrightShift remains compliant with data protection standards.
To safeguard Student Data from unauthorized access or modification, BrightShift agrees to implement robust administrative, physical, and technical safeguards, in compliance with applicable laws. This includes establishing a cybersecurity framework based on recognized national standards and designating a point of contact for any security concerns. In the event of a data breach, BrightShift is required to notify the LEA within 72 hours, providing critical details about the incident, including the nature of the breach and the types of personal information affected.
Finally, the Data Agreement outlines the responsibilities of BrightShift in maintaining a written incident response plan that aligns with best practices and legal requirements for addressing data breaches. This commitment extends to reimbursement for any costs incurred by the LEA due to data breaches, further solidifying BrightShift’s accountability in safeguarding student information. Overall, this agreement reflects a comprehensive approach to protecting student data within the educational ecosystem in California.
In addition to the agreement, BrightShift is a proud member of California IT in Education (CITE), a not-for-profit, professional membership association dedicated to supporting IT professionals working in schools. CITE’s mission is to lead, develop, and support technologists and education organizations to foster student success. CITE’s vision is to shape the future of education through technology, recognizing that the technology used in schools is an essential component of teaching and learning.
Florida
BrightShift has entered into an agreement with Florida’s Local Educational Agencies (LEAs) to provide essential educational services, as specified in Attachment “5” of the Statements of Work or Proposal. To deliver these services, BrightShift may receive, access, or handle documents and data covered by several federal statutes, including the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA).
In addition to federal regulations, the data transferred from or accessed by the LEAs and managed by BrightShift is subject to Florida’s state privacy laws, specifically Florida Statutes Sections 1001.41 and 1002.22. This agreement ensures that all data handling practices are fully compliant with both state and federal privacy laws, safeguarding student information at every stage of service delivery.
The Data Security and Privacy Agreement (DSPA) establishes comprehensive procedures and responsibilities for both BrightShift and the LEAs, ensuring that all data accessed or transferred in the performance of services is protected. By adhering to this agreement, BrightShift reaffirms its commitment to maintaining the highest standards of data privacy and security for educational institutions in Florida.
Georgia
BrightShift has entered into agreements with several schools in Georgia to provide digital educational services under the Mandatory Master Terms for Data Access and Data Sharing. In compliance with these terms, BrightShift agrees to adhere to strict privacy protocols for accessing, handling, and sharing educational records and personally identifiable information (PII) of students. These records are governed by several federal laws, including the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), and the Children’s Online Privacy Protection Act (COPPA).
Additionally, BrightShift’s handling of student data is subject to Georgia state laws, including the Georgia Open Records Act (GORA). While BrightShift recognizes the obligation of these schools to comply with GORA requests for their data, the Act does not apply to third-party proprietary data or information governed by FERPA.
BrightShift ensures that all student records and PII are securely stored within the United States, using industry-standard encryption for data storage, transmission, and sharing. In line with these agreements, all data is promptly returned or destroyed when no longer needed or upon request.
By adhering to these terms, BrightShift upholds its commitment to maintaining the highest standards of data privacy and security, ensuring compliance with both federal and Georgia state laws.
Maine
BrightShift has partnered with schools in Maine through the TEC Student Data Privacy Alliance (TEC SDPA) to strengthen student data protection efforts. TEC SDPA, part of The Education Cooperative (TEC), offers administrative and legal support to schools, aiding them in negotiating data privacy agreements with software vendors. By utilizing the Student Data Privacy Consortium’s National DPA template, TEC SDPA ensures that Maine schools secure agreements compliant with federal privacy laws such as FERPA and COPPA, as well as state-specific regulations, providing comprehensive protection for student data across the state.
Massachusetts
BrightShift has partnered with Massachusetts schools through the TEC Student Data Privacy Alliance (TEC SDPA) to protect student data. TEC SDPA, a service of The Education Cooperative (TEC), provides administrative and legal support to schools for negotiating data privacy agreements with software vendors. By utilizing the Student Data Privacy Consortium’s National DPA template, TEC SDPA helps Massachusetts schools secure agreements that comply with federal laws like FERPA and COPPA, as well as state-specific regulations, ensuring student data is handled securely and in full compliance with privacy requirements.
Missouri
BrightShift has partnered with Missouri schools through the TEC Student Data Privacy Alliance (TEC SDPA) to ensure the protection of student data. TEC SDPA, a service provided by The Education Cooperative (TEC), offers schools administrative and legal support in negotiating data privacy agreements with software vendors. By using the Student Data Privacy Consortium’s National DPA template, TEC SDPA helps schools in Missouri and other states secure agreements that comply with federal laws such as FERPA and COPPA, as well as state-specific privacy regulations, ensuring that student data is managed securely and responsibly.
New Hampshire
BrightShift has partnered with New Hampshire schools through the TEC Student Data Privacy Alliance (TEC SDPA) to ensure the protection of student data. TEC SDPA, a service provided by The Education Cooperative (TEC), offers administrative and legal support to schools in negotiating data privacy agreements with software vendors. By leveraging the Student Data Privacy Consortium’s National DPA template, TEC SDPA helps New Hampshire schools secure agreements that comply with federal privacy laws like FERPA and COPPA, as well as state-specific regulations, safeguarding student data and ensuring compliance with privacy standards.
new York
BrightShift has entered into agreements with several schools in New York State to provide digital educational services under the terms outlined in their data privacy agreements. In accordance with these agreements, BrightShift is granted a non-exclusive license to offer its services to authorized users within the schools while adhering to strict privacy protocols.
BrightShift’s handling of student data is governed by federal laws, including the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), as well as New York State’s Education Law § 2-d and related regulations, including 8 NYCRR § 121. To protect student data, BrightShift aligns its practices with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and complies with the schools’ Data Security and Privacy Policy.
BrightShift limits internal access to personally identifiable information (PII) to employees and subcontractors directly involved in providing services and strictly prohibits any unauthorized use or disclosure of this data. Additionally, BrightShift employs industry-standard encryption to safeguard PII during storage and transmission. In compliance with state law, BrightShift will never sell PII or use it for commercial purposes.
In the event of a data breach, BrightShift is committed to notifying the schools within seven days and cooperating fully with any investigations, as well as assuming responsibility for breach notifications to parents and students if necessary. By maintaining a comprehensive incident response plan and complying with both federal and New York State laws, BrightShift reinforces its dedication to protecting the security and confidentiality of student data.
BrightShift has partnered with New York schools through the TEC Student Data Privacy Alliance (TEC SDPA) to ensure the protection of student data. TEC SDPA, a service provided by The Education Cooperative (TEC), offers schools administrative and legal support in negotiating data privacy agreements with software vendors. By using the Student Data Privacy Consortium’s National DPA template, TEC SDPA helps schools in New York and other states secure agreements that comply with federal laws such as FERPA and COPPA, as well as state-specific privacy regulations, ensuring that student data is managed securely and responsibly.
North Carolina
BrightShift has entered into agreements with several schools in North Carolina to provide digital educational services under the terms outlined in their data privacy agreements. North Carolina’s Data Confidentiality and Security Agreement establishes a robust framework for the protection of sensitive educational data, ensuring compliance with various federal and state regulations. This agreement highlights the critical importance of safeguarding student information and mandates adherence to the Family Educational Rights and Privacy Act (FERPA), which governs the privacy of student education records and grants rights to students regarding their information.
In conjunction with FERPA, the agreement addresses the Protection of Pupil Rights Amendment (PPRA), which safeguards the rights of parents and students in relation to surveys and the collection of personal information. It ensures that data is only used for educational purposes and requires informed consent before collecting certain information from students.
The agreement also aligns with the Children’s Online Privacy Protection Act (COPPA), which places restrictions on the collection of personal information from children under the age of 13. This provision is crucial for educational institutions and service providers that interact with younger students, ensuring their data is handled in compliance with COPPA regulations.
Additionally, the agreement refers to the Family and Medical Leave Act (FMLA) and other relevant codes of federal regulations that guide the management of sensitive employee data within educational institutions. By detailing authorized uses of educational data, the agreement restricts access to individuals who require information for legitimate educational purposes, thereby preventing unauthorized use and ensuring the confidentiality of both student and employee data.
Security measures mandated by the agreement include both technical safeguards, such as encryption and access controls, and administrative safeguards, including staff training and incident response protocols. These measures aim to ensure that all personnel involved in handling sensitive information are equipped to maintain data security and privacy.
In the event of a data breach, the agreement outlines prompt incident reporting procedures, requiring notification to affected individuals and relevant authorities in accordance with state laws and regulations. Furthermore, termination provisions specify the conditions under which data access may be revoked, particularly in cases of non-compliance with FERPA and other applicable laws.
Ohio
BrightShift has partnered with Ohio schools through the TEC Student Data Privacy Alliance (TEC SDPA) to safeguard student data. TEC SDPA, a service of The Education Cooperative (TEC), provides schools with administrative and legal support for negotiating data privacy agreements with software vendors. By utilizing the Student Data Privacy Consortium’s National DPA template, TEC SDPA assists Ohio schools in securing agreements that comply with federal laws like FERPA and COPPA, as well as Ohio’s state-specific regulations, ensuring student data is handled securely and responsibly.
Rhode Island
BrightShift has formed an alliance with schools in Rhode Island through the TEC Student Data Privacy Alliance (TEC SDPA) to enhance the protection of student data. TEC SDPA, a service of The Education Cooperative (TEC), assists schools by providing the administrative and legal support needed to secure data privacy agreements with software vendors. Using the Student Data Privacy Consortium’s National DPA template, TEC SDPA ensures that Rhode Island schools comply with federal laws like FERPA and COPPA, as well as state regulations, safeguarding student data across the educational system.
Vermont
BrightShift has partnered with Vermont schools through the TEC Student Data Privacy Alliance (TEC SDPA) to enhance student data protection. TEC SDPA, a service of The Education Cooperative (TEC), provides administrative and legal support to schools, helping them negotiate data privacy agreements with software vendors. Using the Student Data Privacy Consortium’s National DPA template, TEC SDPA assists Vermont schools in securing agreements that comply with federal privacy laws, such as FERPA and COPPA, along with state-specific regulations, ensuring that student data is handled securely and in compliance with privacy requirements.
Virginia
BrightShift has agreed to provide digital educational services to Virginia school divisions as outlined in the official Virginia School Data Privacy Agreement In delivering these services, BrightShift may receive, create, or be provided with documents and data governed by several federal laws, including the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), Protection of Pupil Rights Amendment (PPRA), and the Individuals with Disabilities Education Act (IDEA).
Additionally, the documents and data transferred from Virginia school divisions and created by BrightShift’s services must also comply with Virginia state laws, including Code of Virginia § 22.1-289.01 and § 22.1-287.02, which pertain to the protection of student personal and personally identifiable information.
To ensure compliance with these federal and state privacy laws, BrightShift and the Virginia school divisions have entered into this Data Privacy Agreement (DPA). This DPA establishes the necessary procedures and responsibilities for safeguarding student data. By signing the “General Offer of Privacy Terms” (Exhibit “E”), BrightShift extends the opportunity for other Local Educational Agencies (LEAs) in Virginia to join this agreement without the need for separate negotiations.
BrightShift has partnered with schools in Virginia through the TEC Student Data Privacy Alliance (TEC SDPA) to bolster the protection of student data. TEC SDPA, a program of The Education Cooperative (TEC), offers schools the administrative and legal support necessary for negotiating data privacy agreements with software vendors. By utilizing the Student Data Privacy Consortium’s National DPA template, TEC SDPA ensures that Virginia schools adhere to federal regulations such as FERPA and COPPA, as well as state laws, thereby enhancing the security and confidentiality of student information throughout the educational landscape
Tennessee
BrightShift has partnered with Tennessee schools through the TEC Student Data Privacy Alliance (TEC SDPA) to protect student data. TEC SDPA, a service of The Education Cooperative (TEC), offers administrative and legal support to schools for negotiating data privacy agreements with software vendors. Using the Student Data Privacy Consortium’s National DPA template, TEC SDPA helps Tennessee schools secure agreements that comply with federal laws such as FERPA and COPPA, as well as Tennessee-specific regulations, ensuring the secure and responsible handling of student data.
Texas
BrightShift has established a data security agreement with the Texas Student Privacy Alliance (TXSPA), a collaborative group of Texas school districts that share a commitment to safeguarding student data privacy. Sponsored by the Texas K-12 CTO Council, the TXSPA is the Texas affiliate of the national Student Data Privacy Consortium (SDPC). The SDPC works with state alliances to create data privacy agreements tailored to the unique legal requirements of each state.
This Texas-specific agreement for K-12 educational institutions was developed with input from a broad range of stakeholders across Texas. It sets clear standards for data privacy practices and expectations.
To further enhance privacy practices, the agreement includes a mechanism (Exhibit E – General Offer of Terms) that allows BrightShift to extend the same data privacy protections to other Texas school districts. This approach creates efficiencies for both service providers and Local Educational Agencies (LEAs) while ensuring that student data is handled with the highest level of security.
Continually Working to Improve Data Security
Our ongoing data privacy efforts include encryption, regular security audits, and compliance with federal and private cybersecurity standards. If you have any questions or concerns about your students’ privacy while using BrightShift, don’t hesitate to contact us.