Introduction
Last update: 1st September 2023
Zzish Limited, the creator and supplier of the Quizalize platform, takes student and teacher data security and privacy seriously and is committed to protecting the privacy and security of all users' data.
Zzish adopts technologies, safeguards, and practices from the National Institute of Standards and Technology (NIST) Cybersecurity Framework to Identify, Protect, Detect, Respond and Recover from data security risks.
Zzish abides by the US Parents’ Bill of Rights Regarding Data Privacy and Security.
Do you need to send the Quizalize Data Privacy plan to your school? Click here to download.
Purpose
Quizalize Classroom (also known just as Quizalize) is a web-based gamified formative assessment application that teachers use to engage students and deliver assessments digitally in the classroom or for homework. It allows teachers to collect data on student understanding of learning objectives from standards and curricula and deliver personalised follow on resources. Its purpose is to help teachers engage students and personalize their teaching and thus help students master learning objectives.
Quizalize Insights is a web-based analytics product for school leaders that is an optional add-on product to Quizalize Classroom. Quizalize Insights allows school leaders to analyze the aggregated class data from Google Classroom usage. It gives school leaders daily insight into the academic progress of students, classes, and schools.
Key Data Security and Privacy Measures
Zzish adopts the following key measures:
1.Student and teacher data is stored securely on servers, and access is limited only to employees who need to be able to access the data to perform their duties. This access is given through individual employee password-protected accounts protected by 2-factor authentication and secure private keys. Subcontractors are not given access to student and teacher data.
2. In the product, access to specific student data is restricted to specific users:
The teacher who created the class containing the student
Co-teachers added to the class by the teacher who created the class, and
School leaders who are specifically added to the product by the nominated school or district administrator of the product.
3. All end users access the product through personal password-protected accounts. Schools who use SSO for teachers or students to sign into Quizalize (e.g. teacher accounts from platforms such as Google Workspace or Microsoft Office 365) are recommended to configure the workspace settings in these third-party products such that teachers are required to use 2-factor authentication to sign into their accounts.
4. Only the data necessary to deliver on the purpose of the product is collected:
Teacher name and login details (e.g. email and hashed password or SSO token)
Name of classes (as specified by the teacher when creating the class)
Content of teacher-created assessments
Student first and last name
Student ID (optional)
Student login details (e.g. email and hashed password or SSO token)
Student answers to specific questions in teacher-assigned assessments
Student overall score in teacher-assigned assessments
Student learning resources viewed and assessments taken
5. Student and teacher data is used only for the purpose of delivering the Quizalize product and features. Student data is not used for any other purpose or shared with any third parties. In particular, the student data is used to provide:
Teachers with insight into each student’s level of understanding of learning objectives in a standard or curriculum.
Teachers with recommendations for personalized activities and resources that help students master learning objectives.
School leaders with insight into the overall academic progress of each class.
6. All data is handled in accordance with appropriate local laws, including:
The Children's Online Privacy Protection Act (COPPA) which outlines measures for parental consent and protection of children under 13
The Family Educational Rights and Privacy Act (FERPA) which outlines procedures for protecting student education records and
The General Data Protection Regulation (GDPR), that sets guidelines for the collection and processing of personal information from individuals who live in the UK and European Union (EU)
7. When districts, schools and teachers close their accounts or terminate contracts, all student data associated with those accounts is either obfuscated or deleted within 90 days.
Additional Data Security and Privacy Measures
Furthermore, Zzish adopts the following additional measures:
All data is hosted on the cloud (AWS, Mongo Cloud, Google Cloud).
Google Analytics is used to anonymously record teacher use of the product for the purpose of monitoring and improving the product. Google Analytics is not used to record student use of the product.
The OpenAI API is used to help teachers create question banks and learning resources on demand. Prompts are sent to OpenAI anonymously.
Teacher and student data is never exported or downloaded from the cloud or stored locally. The one exception to this rule is teacher names and email addresses that are exported into our CRM tool, Intercom.
All direct database access uses SSH keys.
All passwords for user account direct logins are hashed.
All web pages use the secure HTTPS protocol.
All web API access uses HTTPS and SSH keys.
Personally identifiable student data, such as first and last name, is stored in a distinct database to the student performance data. Student performance data is indexed by a randomly generated UUID.
Student data security is considered as a primary design consideration in any new software development.
All code that deals with student data is peer reviewed to check for security vulnerabilities.
Quarterly high level reviews of data security procedures are conducted to review data security and decide on whether any new steps are required to enhance security.
Affected customers are notified as soon as possible of any data breach and within 7 days at the latest. Notification is carried out by email to the designated product administrator.
All new employees are given training in data security and privacy.
Contact information
Deletions and changes to individual student data can be requested by emailing team@zzish.com.
Parental requests according to the Parent’s Bill of Rights should be made to the customer (school or district) and the customer should then contact team@zzish.com. Data will be released to the customer to be shared with the parent or other action taken as needed.
Queries about this document can be made by contacting charles@zzish.com or team@zzish.com.
Conclusion
Zzish is committed to protecting the privacy and security of users' data. To this end it is important that all stakeholders adhere to the plan.
Do you have any questions? Please, contact us at support@quizalize.com