As a leading provider of assessment systems, the privacy and security of individuals about whom we process personal data is critical to us. This Global Privacy Notice (“notice”) explains how we manage and protect your personal data (referred to as “data”) when you visit our website (“Visitor”) or use our assessment platform services either as a representative of a School to which we provide services (“School User”) or a student or parent of a school which uses our services (a “Service User”). If you are a Service User, for the majority of personal data we process about you, we are a processor and therefore act on behalf of your school and as directed by them. We recommend that you review your school’s privacy notice to understand how your school manages your personal data.
This notice tells you who we are, what data about you we collect in connection with our website and services, and what we do with it.
To learn more about our approach to privacy law compliance and data security more broadly, please visit our GDPR section.
AssessPrep (“AssessPrep”, “we, “us”) is part of Codeyug Web Services Pvt.Ltd. AssessPrep is the Next Generation Assessment Platform for the world’s leading international schools. Founded in 2016, we serve schools in 37 countries providing a platform for all their assessment needs. We are responsible for managing your data in connection with our services.
Details of how to contact us can be found below at Who should you contact with questions?
We use various types of data about you for purposes connected with the management of our website or the delivery of our assessment platform services. If you are a ManageBac school, this information is synced to AssessPrep during Setup.
Visitor
We may collect and process the following information in order to provide you with our website:
your name, title, business telephone number, details about the school you represent, details about your position at the school (e.g., subjects you teach or how long you have worked at the school) and e-mail address used during our registration process in order to communicate with you in relation to the provision of learning platform services to your school.
responses to our surveys you choose to take.
your e-mail address to send electronic marketing to you, including our annual newsletters and updates, if you consent to us doing so.
details of your interactions with us when you contact us with enquiries through our online customer support, or via telephone or email.
Service User
We may collect and process the following information:
information captured in your student account, provided by you or your parents including information such as your name, email address, nationality, date and place of birth, gender, language, national ID, and parents’ names and contact details, in order to conduct statistical analyses for our own reporting.
survey responses or feedback we request from you in relation to future product developments and educational plans.
details of your interactions with us when you contact us with enquiries through our customer support system online, or via telephone or email.
Throughout your use of our website and/or our provision of services to you or a school, we use data about you for various purposes.
The purposes for which we use data about you, with corresponding legal basis for use, are set out below:
Visitors
Purpose | Legal basis for processing |
---|---|
Management of our website e.g. site maintenance and analytics of website usage (which will include the sharing of data with Google Analytics). | It is our legitimate business interest to manage and develop our website. |
Fulfilment of online services e.g. registering for a demonstration, webinar, blog or trial account. | We process your data in order to provide you with the online service which you have requested. Our processing is based on your consent. |
Legal & regulatory compliance and compliance with law enforcement requests | In some instances, we will be required by law to process your personal data and share it with law enforcement or other government or regulatory bodies. We may also choose to do so in other circumstances, in accordance with our legitimate interests. |
School Users
Purpose | Legal basis for processing |
---|---|
Customer support activities e.g. interacting with you via our online customer support or by phone, e-mail | It is our legitimate business interest to provide customer support to School Users in order to provide the assessment platform services to schools. |
Provision and management of assessment platform services to school e.g. managing requests, managing user accounts, submitting a PO, handling invoices, etc. | It is our legitimate business interest to provide and manage the assessment platform services we provide to schools. |
Marketing | We only send marketing communications to you based on your consent. |
Sharing data with other third parties Please see “Who do we share data with and for what purpose?” below. | It is our legitimate business interest to share data with third parties to assist with the purposes described below. |
Legal and regulatory compliance and compliance with law enforcement requests | In some instances, we will be required by law to process your personal data and share it with law enforcement or other government or regulatory bodies. We may also choose to do so in other circumstances, in accordance with our legitimate interests. |
Service Users
Purpose | Legal basis for processing |
---|---|
Conducting statistical analyses for reporting e.g. to conduct data analyses that enables us to improve and develop our services | It is our legitimate business interest to improve our assessment platform services through the use of statistical analyses and reporting. |
Customer support activities e.g. interacting with you via our online customer support or by phone or e-mail | It is our legitimate business interest to provide customer support to Service Users. |
Marketing | We only send marketing communications to you based on your consent. |
Sharing data with other third parties Please see “Who do we share data with and for what purpose?” below. | It is our legitimate business interest to share data with third parties to assist with the purposes described above. |
Legal and regulatory compliance and compliance with law enforcement requests | In some instances, we will be required by law to process your personal data and share it with law enforcement or other government or regulatory bodies. We may also choose to do so in other circumstances, in accordance with our legitimate interests. |
Please note that we do not process any special category data about you (e.g., information of race or ethnicity) for our own purposes. You may be requested to provide such information by your school which may be passed to us for processing but we do not use it for any other purpose.
In some instances, we may use personal data about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such us and consent if required. You should read any supplemental notice in conjunction with this notice.
Sharing data with thirs parties
We may share data about you with our third-party service providers, such as IT providers or customer support services.
We may share data about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials;
We may share data when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal purpose; and
We may share data in the context of organisational restructuring
If you would like to learn more about the parties with which we share data, please contact us using the details below at Who should you contact with questions.
We implement appropriate technical and organisational measures to protect personal data that we hold from unauthorised disclosure, use, alteration or destruction. Our standard protocols include:
Application security:
traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross site scripting, SQL injections, phishing and others.
Network security:
firewalls and systems to detect suspicious behaviour, stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
Organisational security:
access policies, audit logs and confidentiality agreements.
Physical security:
preventing unauthorized access to infrastructure processing personal data.
Procedural security:
IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.
The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested the deletion of the data, and whether any legal obligations require the retention of the data (for example, for regulatory compliance).
We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected.
Depending on where you are resident, you may have some or all of the following rights under applicable law in respect of data about you which we hold:
request us to give you access to it, and have us provide you with a copy of any data we hold about you
request us to rectify or update it
request us to erase it in certain circumstances
request us to restrict our using it, under certain circumstances
object to our using it, in certain circumstances
withdraw your consent to our using it, where our processing is based on consent
data portability, in certain circumstances
opt out from our using it for electronic direct marketing, through all or selected channels. We will always comply with this request; and
lodge a complaint with the supervisory authority in your country (if there is one).
You can exercise these rights, or learn more about them, by contacting us using the details below at Who should you contact with questions?
We may be required to confirm your identity before we action any request from you in connection with your data. This may involve asking you to provide identification documents.
If you have any questions, or wish to exercise any of your rights, then you can contact our Data Protection Officer Abhimanyu Jhajharia at info@assessprep.com.
If your country has a supervisory authority, you have a right to contact it with any questions or concerns. If we cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.
Last modified on June 18, 2018.
The General Data Protection Regulation, known as GDPR, was approved by the European Union in April 2016 and is in effect as on May 25, 2018. It is the most sweeping legislation in the last two decades focused on data security and privacy, and significantly updates, extends, and harmonises data protection legislation across the EU/EEA.
To read more about GDPR, please click here.
Who is subject to GDPR?
Individuals, organisations and companies that control or process personal data are subject to GDPR. In broad terms, there are three different actors:
Data subjects (students, families, school employees)
Data controllers (the school)
Data processors (system like AssessPrep)
As a data processor, we do not decide the purpose or lawfulness of the data we process and store. We are trustees acting on our customers’ behalf. As data controllers, schools remain ultimately responsible for documenting and deciding how data enters our systems. However, GDPR regulations do impose new and stricter regulations on processors. We will fully comply with these requirements for all of our services, including AssessPrep and Integration partners.
How is GDPR different from current data protection laws?
Key areas of difference center on increased accountability for companies, greater access to personal data for individuals, and higher penalties for non-compliance.
GDPR explicitly lays out key rights of data subjects:
right to be informed
right of rectification
right of erasure
right to restrict processing
right of data portability
right to object
right of access
These rights form the framework for interactions between the data subject, controller, and processor. While the controller (school) remains responsible for respecting these rights, the processor (us) may assist in accomplishing these tasks.
The penalties for non-compliance are not insubstantial. A school found in violation of GDPR may be assessed fines worth up to 4% of total annual revenue. The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR and has a broad range of powers to do so.
What kind of data is covered, and what information are schools allowed to collect?
All personal data concerning an individual (data subject) is included under GDPR. Specifically, personal data that allows an individual to be identified — for example name, address, phone number, photo, etc. — is included under GDPR.
Even if personal data has been encrypted, pseudonymised, or anonymized, it may still fall under the scope of GDPR if the data can still be used to identify a specific individual.
Examples of personal data that our schools collect and store includes:
Names
Addresses
E-mail Addresses
Phone Numbers
ID Numbers (Passport, National Id, SSN)
GDPR specifies six lawful bases for collecting personal data:
Consent
Written contract
Legal Obligation
Vital Interests
Public tasks
Legitimate interests
For most schools, the legal basis for data collection relates to either legal obligations as learning institutions, or to legitimate interests.
Most of the bases require that the data processing is necessary, i.e. if you can reasonably achieve the same results and purpose without processing data, then you do not have a lawful basis.
Is AssessPrep GDPR-compliant?
We are as of May 25, 2018. We are well prepared for the GDPR changes with a strong set of organisational and technical security measures. AssessPrep has been designed from the start with personal data protection in mind, and we pride ourselves on offering schools, students, and parents the highest level of security.
As a part of our commitment to GDPR, you can expect AssessPrep to:
Ensure organisational and technical security for all services.
Assist with documentation to demonstrate compliance and keep users informed.
Provide new contract addenda that comply with GDPR requirements for Data Processing Agreements (DPA)
Offer support when your users exercise their data subject rights.
We continue to invest in organisational security, network and infrastructure security, and application security to ensure we can offer world-class security beyond standard requirements. We are careful not to provide explicit detail about our security measures but our standard protocols include:
Application security: traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross site scripting, SQL injections, phishing and others.
Network security: firewalls and systems to detect suspicious behaviour, stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
Organisational security: access policies, audit logs and confidentiality agreements.
Physical security: preventing unauthorized access to infrastructure processing personal data.
Procedural security: IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.
How does AssessPrep obtain personal data about users, and how is it used?
User data is submitted to our platforms in three ways:
1. directly by the users
2. by representatives authorised by the users (e.g. the school technology director obtains data and then uploads it to our platform)
3. via an integration with a third-party system
Data typically enters our systems via “student information systems” independently maintained and controlled by our customer schools. We import data from third-party systems only under direct instruction from our customers.
We use personal data under our protection only when we receive direct instructions from the customer school. The data stored on our systems belongs directly our customers, and only a handful of AssessPrep staff have access to personal data under strict confidentiality and security. We process personal data independently only if it is vital to the integrity or security of the service, or to analyze or evaluate the quality of the service provided.
Can any of our users request data deletion under the “right to be forgotten”?
Likely not. A data deletion request is valid only if the lawful basis of the processing is Consent (see above), or if the original purpose is no longer valid.
We strongly recommend that our schools implement clear processes for evaluating these kinds of requests. Our Data Protection Officer can also assist with advice in difficult cases. If a data subject is granted the right to be deleted, AssessPrep will, either through our software or our support services, help execute these rights and confirm the deletion.
When does AssessPrep delete personal data?
AssessPrep deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. The procedures around deleting customer data upon termination of service should be provided in writing or in a Data Processor Agreement.
An instruction to delete a user in our services can either be manually performed in the platform by a customer representative or upon request to our support team.
When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.
Can a user contact AssessPrep directly (e.g. student, parent, teacher) to exercise his rights under GDPR?
No. Under GDPR, the data subject (user) rights is between him and the controller (our customers). Any data subject requests from end users to AssessPrep will be handed over to the customer. AssessPrep will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.
Will AssessPrep notify users if a data breach has occurred?
Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. AssessPrep is required to notify its customers when becoming aware of a data breach, and to help them in fulfill obligations in notifying users.
Does GDPR impact customers outside the EU?
Not legally. The EU, obviously, has no legislative power over other jurisdictions. GDPR does not offer any rights or freedoms to data subjects located outside the EU, and does not put obligations on non-EU customers that do not process data on EU/EEA data subjects.
However, AssessPrep offers, for the most part, the same services and same level of security to all our customers. In other words, no matter where your school is located, you will benefit from our approach to security of personal data under GDPR.
Who do I contact with further questions?
For general questions related to AssessPrep you can always contact our support team at support@assessprep.com.
For specific GDPR-related questions from our customers, please contact our Data Protection Officer Abhimanyu Jhajharia at info@assessprep.com. Please note that any communication with our DPO must be in English.