Schools: Privacy and Security Risk Assesment

Kindly refer to our Privacy Policy for comprehensive information.


PRIVACY AND SECURITY RISK ASSESMENT:


1.Does the company require that parent/guardian consent be obtained so that students under the age of 18 can use the app service? If so, please provide details.


Certainly, on our platform, both the registration and login pages have clear stipulations indicating that all users must be over 18 years old. This policy has been put in place to ensure the safety and privacy of younger users. As a result, students are not authorized to create their own accounts. Instead, we grant account creation privileges exclusively to teachers. This approach not only maintains the integrity of our platform but also ensures a controlled and secure environment for all participants.



2. Does the company sell or distribute user (Teacher and student) data to any third parties for a purpose other than providing the app service?


Absolutely not. We take this responsibility seriously, and I can categorically state that we have never, under any circumstances, sold or disclosed data related to our schools, students, or teachers. The trust placed in us by our users is paramount, and we consider it our duty to protect and maintain the confidentiality of all the data that has been entrusted to us. This principle forms the bedrock of our corporate ethos and guides our actions every day.



3. What is the company's retention period for inactive, cancelled or lapsed accounts? Are all user accounts and related data/content destroyed when the retention period ends?


We are in the process of deleting old, unused, and inactive accounts after 120 days.


4. Can user upload content into Dinolingo's website?


At Dinolingo, we operate under a specific framework that distinguishes us from other platforms. Neither students nor teachers contribute to or modify content on our website, apps, or any other associated platforms. This means that the content and features available are curated and managed solely by our dedicated team, ensuring a consistent and standardized experience for all users. Unlike some platforms which may offer interactive elements or user-generated content, Dinolingo maintains a one-directional flow of information. We believe this approach allows us to maintain the utmost quality and integrity of our content while also ensuring the security and privacy of our users.


5. Is user data encrypted in transit and at rest?


All user data undergoes encryption during transmission and is securely stored within databases situated in a secluded internal server environment, inaccessible from external sources.


6. What is the SOC2 data protection status?


Dinolingo holds the security and privacy of our customers' data in the highest regard. We have initiated the process of achieving SOC2 compliance to further enhance our data protection standards. Our dedication to data security remains unwavering, and we are continuously exploring avenues to strengthen our protective measures.


7. Does the company have a breach response protocol in place? If so, please provide details on how you manage containment and remediation.


Currently, we are in the process of implementing NewRelic monitoring, which will enable us to gather more extensive data and conduct in-depth analysis of external anomalies. Additionally, we are contemplating the integration of JA3, JA3S, and the implementation of a Web Application Firewall (WAF). These collective measures are pivotal in bolstering our defense mechanisms and facilitating the early detection of potential threats.

Our server environment has been meticulously designed to confine all critical processes within a closed ecosystem, completely insulated from external access. Our system operates via a singular entry point, our API, exclusively accessed by our applications. It is paramount to emphasize that this entry point has been fortified to prevent clients from gaining visibility into our system's internals. Ensuring the utmost security of this access point is of paramount importance, and hence, the comprehensive measures I have outlined above have been strategically planned and are underway.



8. How are users/schools/boards notified when a security or data breach of personal information occurs (e.g. direct notification via email)? Without details in the company's Privacy Policy or Terms documents on how users are notified about privacy/security breaches, our assessment of the application will receive a high-risk score.


In the event of a data breach involving personal information, Dinolingo will inform all affected parties, including parents and teachers in the form of a pop-up on our website, outlining the nature of the breach and the actions the company has taken in response.



9. Are third-party companies/subcontractors obligated to have security safeguards in place that are equivalent to or better than those of the company?


We abstain from engaging third-party companies that might potentially access our data. In cases where we do employ third-party services, they are mandated to possess certificates of compliance. It is imperative to underscore that under no circumstances will any third-party entities be granted access to user data.

At Dinolingo, we have contractors, and any contractor developer collaborating with us is mandated to install our company's secure VPN servers on their computing devices. This ensures a protected and encrypted connection when accessing sensitive company data.



10. In the event of a sale, merger, acquisition, etc., are the company's successors obligated to have equivalent or better security safeguards for personal information previously collected? Will users be notified of the situation prior to the transfer of their information to the successor? Are users notified of the transfer before it is completed? Are users given an opportunity to opt-out of having their personal information/content transferred?


At the present moment, we have no intentions or plans to engage in a sale, merger, or acquisition. Should the dynamics of our business change in the future, leading to such considerations, please be assured that we will prioritize and implement stringent security measures. Our foremost commitment is to safeguard our stakeholders' interests and maintain the confidentiality and integrity of all associated data and processes.


11. Please provide a list of these third parties, the specific data elements involved, and information about the protections in place to ensure user data is protected.

Please read this from our privacy policy:


Third Parties

We use tools including but not limited to Google Analytics to better understand our website users. These tools use cookies to collect information from users; IP address, time of visit, pages visited, time spent on each page of the website, and type of operating system used. We use this information to manage and improve our Services. Please visit https://google.com/policies/privacy/partners/ to learn how Google uses data when you use our Websites.

We also integrate other third party applications and tools into the Services to provide Users with a better experience. We also may share your Personal Data with certain third parties without further notice to you. These third party providers may perform functions that help us operate the Services and that require the collection or processing of user data on our behalf and subject to our instructions, these providers include, but are not limited to, payment processing services (e.g., Stripe, Paypal), email providers (e.g., aws, mailchimp, sendgrid) and performance data solutions (e.g., Google Analytics).




12. Would the company include a statement in its Privacy Policy and Terms advising users they will be notified in the event of any material changes either by direct email or by a message in the app when logging in? If so, please advise when that revision will be completed.

Without details in the Privacy Policy and Terms documents on how users are notified about material changes to those documents, our assessment of the application will receive a high risk score.



We've detailed our privacy practices in our Privacy Policy and Terms of Use. To ensure our communications remain transparent and avoid potential misclassification as spam, we refrain from sending email notifications for every minor update. However, for major changes to our Privacy Policy or Terms of Use, we will notify our users through a pop-up on our website, highlighting the relevant modifications. Direct links will be provided for users to easily access and review the updated documents in their entirety.



13. In the event of a dispute, are users required to agree to an alternative dispute resolution (i.e. arbitration or mediation) in place of litigation? If arbitration is to be used, please provide details regarding who controls the terms of arbitration (e.g., the company or both parties)?


We operate our website and apps from our offices in the USA. The laws of the US govern all the terms.



14. How is liability handled when the company is at fault (e.g. negligence, breach of Terms)? Does it: a) accept responsibility; b) share responsibility with the user/school board; c) transfer responsibility to the user/school board?



In the event that liability emerges as a result of an oversight or error attributable to Dinolingo, including but not limited to those made by our developers or issues stemming from our servers, we acknowledge full responsibility and pledge to address and rectify such issues expeditiously. On the other hand, should a teacher, board, or school district mistakenly delete accounts, produce erroneous reports, or commit comparable missteps, the onus of responsibility lies with them. Nonetheless, we are steadfast in our commitment to assist in the retrieval of any misplaced data, whenever necessary, utilizing the full extent of our expertise and resources.


15. In what country is data stored from users in Ontario, Canada?

We utilize the AWS data center situated in Northern Virginia.


16. How is the app data stored (on premise servers, cloud, third party)? If cloud, provide more details (own cloud, cloud provider, other)? If using a cloud provider, does the cloud service have its own Privacy Policy that is enforced for the app?

We employ a proprietary closed server infrastructure within the Amazon Web Services (AWS) cloud, strictly adhering to AWS's regulatory framework during the infrastructure's construction. AWS promptly notifies us of any breaches, including security violations that may compromise our server environment.
Our service provider grants us the necessary space to construct our server architecture, in strict accordance with the established AWS architectural guidelines. The responsibility for safeguarding our infrastructure falls squarely upon us, and any deviations from the general architectural standards trigger timely notifications from AWS.

It is worth noting that all user data is securely stored within databases situated in a closed internal environment, rendering it inaccessible from external sources and ensuring its protection.

Furthermore, our applications interface through a singular API, functioning as the sole entry point. This API is hosted and operates within our live infrastructure on AWS, ensuring efficient and centralized communication.


For more questions, please email the administrator.

https://dinolingo.com

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.