(Updated August 12, 2025)
Purpose of This Plan
This plan outlines the policies and practices governing the collection, use, and storage of data obtained through the Riveting Results® platform. Riveting Results, Inc. (“RR”) prioritizes the protection of customer and student data, complying with laws such as FERPA, COPPA, PPRA, and IDEA, as well as Student Data Privacy Consortium (SDPC) requirements.
The CEO, with extensive public school leadership experience, leads the student privacy team, staying current on legislation through AASA’s Student and Child Privacy Center. Updates in law or best practice are reviewed with the CTO and implementation team to adjust RR’s practices and platform accordingly.
Student Data Collected
- First and last name
- Student identification number
- Student email
- Class name and/or section number
- Grade level
- Teacher name
- Teacher email address
How Student Data Is Used
- Services: To provide platform access and related reports to schools/districts.
- Reporting: To generate usage-based reports for educators.
- Account Support: Aggregate data used to assist customer service.
- PII Treatment: All identifiable data treated as PII and stored securely.
- No Solicitation: All data comes from school districts; no direct solicitation from students.
- No Ownership: RR holds no ownership over student-identifiable data.
No Targeted Advertising or Marketing
- No advertisements or marketing messages within the platform.
- No sharing of student data with third parties for advertising, marketing, or tracking.
User Interactions
- Students cannot upload external content or create profiles.
- Information is not shared for social purposes.
Educator Data Collected and Use
Data collected: name, school/district, grade level, course titles, email.
Used only for account registration and maintenance.
Data Storage Location
- Cloud-based application hosted on Google Cloud in the U.S.
- No student data stored outside the U.S.
Third-Party/Subprocessors
- List of subprocessors available upon request.
- Subprocessors bound by agreements meeting or exceeding RR’s privacy and security standards.
- LEA notified 30 days before adding new subprocessors, with the right to object.
- Vendor responsible for subprocessor compliance.
Security Framework
Aligned with the NIST Cybersecurity Framework.
Network-Level Security
- Hosting provider implements industry-standard security.
Server-Level Security
- Limited access for trained engineers.
- Google Cloud manages security updates.
- Intrusion detection, configuration control, monitoring, and automated backups in place.
Device Security
- Password-controlled access for all systems and accounts.
- Support for Single Sign-On (SSO).
Encryption
- HTTPS access only; encryption in transit and at rest.
Employee and Contractor Policies
- Access limited to necessary personnel.
- Confidentiality agreements required.
- Annual IT security training covering privacy laws, data handling, best practices, incident response, and more.
- Review of cloud providers’ compliance.
- Network access terminated upon employee departure.
- Audit logs maintained for PII access.
Data Retention and Destruction
- Data used only in production systems for platform functions.
- Data removed when customer access ends.
Correction and Removal of Student Data
- Requests made via teacher or administrator, who verify identity before notifying RR.
- Removal limits the student’s ability to use the platform.
Breach Notification and Incident Response
Identification: Continuous monitoring for suspicious activity.
Assessment: Evaluate scope and severity within 24 hours for PII-related incidents.
Investigation: Data Security and Privacy Incident Team conducts forensic review and identifies vulnerabilities.
Mitigation: Immediate containment and policy updates.
Response: Post-incident review within one month, followed by updated training.
Audit Rights
LEA may audit RR’s policies and systems annually, or more often under specific conditions. Vendor must address and confirm correction of any deficiencies.
Staff and Subcontractor Training
Annual training on PII protection and compliance with laws.
Policy Review
Reviewed annually and updated as needed for legal compliance and clarity.
Questions can be directed to contact@rr.tools.
