Caveon Privacy Policy for Students of Education Subscribers

Last updated: April 27, 2020

Public and private schools, colleges and universities, as well as teachers and professors (“Education Subscribers”) are able to subscribe to and use Caveon’s secure, cloud-based platforms and tools to create, modify, store, deliver, proctor and score secure educational tests and assessments, integrated for use in Caveon Scorpion and Caveon’s Do-It-Yourself Assessment Development, Delivery and Proctoring platform, the specifications of which are provided at (the “Services”). Through the use of Caveon Scorpion and Caveon’s Do-It-Yourself Assessment Development, Delivery and Proctoring platform, the Services may be accessed and used by students of Education Subscribers who are minor children, including students between the ages of 13 and 18 years.  As noted in Caveon’s general Privacy Policy, Caveon does not knowingly collect Personal Data through our website or cloud-based services from any person under the age of 13 and our Services are not marketed to users under the age of 13.  This Caveon Privacy Policy for Students of Education Subscribers is supplemental to Caveon’s general Privacy Policy and applies exclusively to the use of the Services by Education Subscribers and students who use the Services at the request or invitation of Education Subscribers. To the extent of any conflict between this policy and Caveon’s general Privacy Policy, this policy shall apply to the specific Services identified above, but not to any other subscriber types for the Services or other Caveon services. We are committed to protecting the privacy of all students, and Caveon’s Privacy Policy for Students of Education Subscribers is designed to reflect our compliance with the applicable requirements of the California Consumer Privacy Act (“CCPA”), the Federal Education Rights and Privacy Act (“FERPA”), the Student Online Personal Data Protection Act (“SOPIPA”), the EU General Data Protection Regulation (“GDPR”), and other applicable federal, state, local and international laws.  This policy applies to students who may be using the Services under Caveon accounts created by Education Subscribers (as that term is defined below), regardless of whether such Education Subscriber account is paid for, or free.  (Please refer to Caveon’s general Privacy Policy for information pertaining to non-Education Subscriber accounts.)

Requirements for Information Collection 
In the United States, and other jurisdictions where applicable, before collecting any personal data (“Personal Data”) from students accessing the Services as required by or in response to invitations from Education Subscribers, we require the Education Subscriber to contractually consent to our information practices, as permitted by applicable law.

For purposes of GDPR, the Education Subscriber is the Controller and Caveon is the Processor of a student’s Personal Data.  The Controller determines the legal basis, means and purposes for processing the data, and Caveon follows the directions of the Controller who sends us the data. We only collect students’ Personal Data to provide the Services to Education Subscribers, not for marketing or advertising, and, with the limited exception of our service providers (to the extent necessary to provide their services to us), we do not share Personal Data about students with other parties except as directed by the Education Subscriber or required or permitted by law, as set forth in this Privacy Policy and consistent with our agreements with our Education Subscribers.

Data Collection We collect and process the following categories of data in the process of delivering the Services to Education Subscribers:
  • Information commonly used for identification, such as a user’s name, email address (if entered) and other similar identifiers;
  • Information about a student’s school, college or university, including its location;
  • Information about the student’s device, network, and internet connection, such as IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version; and
  • Information about how the student uses the Services, including type and frequency of actions taken, student assessment responses, including constructed responses that may also include student Personal Data if prompted or unprompted by the assessment item, response times, date and time, duration, quantity, quality, network connectivity, other platform performance metrics, and feature usage information.

We collect data in the following ways: When students use the Services to take assessments or tests developed and/or administered by and for Education Subscribers, by the very nature of the usage of the Services, data is collected. We gather students’ Personal Data from the Education Subscriber, directly from the student as they interact with assessments or tests through and as part of the Services, directly from students’ devices, and directly from someone who invites users to submit data via the Services (such as a teacher or professor). Some of this collection happens when a student or Education Subscriber affirmatively submits that information. Some of our collection happens in the background – that is, it’s automatically collected when users interact with the Services (an example of the data collected this way is the information about the student’s device or connection, or the information about feature usage.).

Caveon and/or our third-party service providers also automatically collect some information using methods such as cookies. Information automatically collected may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), operating system, and date/time stamp. We use this information to deliver and support the Services. We do not use this information to deliver advertising or for any other purpose not related to the delivery and support of the services.

We may collect Personal Data about students of Education Subscribers from the Education Subscriber and authorized users of the Education Subscriber account, including Personal Data contained in “educational records,” as defined by FERPA. Caveon maintains this information on behalf and at the direction of the Education Subscriber and does not use the information for any other purposes except as permitted by FERPA and our applicable agreements with Education Subscribers.

Data Use
We use Personal Data collected from and about students only as needed to deliver the functionality of the Services, operate our business, and for use by Education Subscribers at their direction as follows:  We may use all of the types of Personal Data that we collect for the following purposes, to the extent permitted by our agreements with our Education Subscriber customers:

  1. Providing, personalizing, operating, and maintaining our Services.
  • Education Subscriber Account configuration and maintenance.
  • Authenticating users of the Services.
  • Enabling the Education Subscriber to administer assessments and tests to students and other users.
  • Enabling the Education Subscriber to develop, maintain, review and revise assessment and test content within the Services.
  • Enabling the scoring of assessments and tests administered to students by the Education Subscriber using the Services.
  • Hosting and storing Personal Data of students collected during the administration of assessments and tests on behalf and at the direction of the Education Subscriber.
  • Fulfilling requests made by users of the Services, including requests for access to Personal Data received from an Education Subscriber.
  • Protecting, investigating and deterring against fraudulent, harmful, unauthorized or illegal activity.
  • Providing access to data and reports to Education Subscribers based on information collected from students’ use of the Services.
  • Providing support and assistance for the Services.
  • Complying with our contractual and legal obligations, resolving disputes with users, enforcing our agreements.
In order to optimize provision of the Services, we may collect broad geographic location (city-level location) information about where users are located when using the Services. We use this information for service-related purposes (such as optimizing connections to our data center) and supporting compliance. We may also use third-party service providers to help us provide the Services, and they may have limited access to Personal Data in the process. We prohibit our service providers from selling Personal Data they receive from us or on our behalf and require them to only use that Personal Data in order to perform the services we have asked of them, in accordance with written contracts with us, unless otherwise required by law.

  1. Following the instructions of our Education Subscriber. 
Personal Data we collect, we collect on behalf of our Education Subscribers. (To use the technical term, we are the “Processor” of that Personal Data, acting as a service provider on behalf and at the direction of our Education Subscriber, and our Education Subscriber is the “Controller” or decisionmaker.) For an Education Subscriber subject to GDPR or similar law, the Education Subscriber determines the legal basis, means and purposes for processing student Personal Data, and instructs Caveon to process such Personal Data, including those who are children under the age 16 years (but not younger than 13). We are required to follow an Education Subscriber’s instructions related to Personal Data we have collected on their behalf. On an Education Subscriber’s instructions, we may provide reports to the Education Subscriber containing Personal Data relating to their account and students’ use of the assessment and testing platform controlled by the Education Subscriber.

  1. Complying with our legal obligations or the legal obligations of our subscribers.
This includes responding to a legally binding demand for information, such as a warrant issued by a law enforcement entity of competent jurisdiction, or as reasonably necessary to preserve Caveon’s legal rights. Third Parties Caveon does not share Personal Data with third parties other than the service providers described above, or as required by law, except at the direction and on behalf of a Education Subscriber. Security Maintaining the confidentiality, security, and integrity of students’ Personal Data is a top priority. We use industry-standard security technologies, procedures, and organizational measures designed to help protect Personal Data from unauthorized access, use, or disclosure. Access and Deletion Rights If a student or the parent or legal guardian of a student under the age of 18 would like to request to access, review, refuse further collection of, or delete the student’s Personal Data within the Services provided by Caveon to a corresponding Education Subscriber that required the student’s submission of such data, please contact the Education Subscriber directly. Because Caveon is required to comply with contractual confidentiality and data retention obligations related to our customers’ data, we are not able to respond to parental or student requests directly.   Education Subscribers may direct requests to access, delete or restrict further collection, processing or use of a student’s Personal Data to