Product: HMH FL Science Common Cartridge
Vetted by
Jim
Cveykus,
Technical Product Manager
at HMH
on 2023-01-18
Privacy Rubric Results
This product has met the criteria required to achieve the 1EdTech Data Privacy Seal.
- N/A
- UNMET
- PARTIAL
- MEETS
Data Collection
Security
3rd Party Data
Advertising
Certified
| Rubric Area | Expectations | ||
|---|---|---|---|
| General | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
GEN1 - How are changes to key policies managed?
ANSWER: Notification is provided to the user in advance and a history of policy revisions are available
User Notes:
2. Updates to this Privacy Policy
The date on which this Policy was last revised is identified at the top of this page. We will post any updates we make to this Policy from time to time on this page. If we make material changes to how we treat our Users’ Personal Information, we will notify our Customer by email and/or through a notice on the Product’s home page. Any changes will become effective when we post the revised Policy or, in the case of any material changes, provide the revised Policy to our Customer. The Customer is responsible for ensuring we have an up-to-date active and deliverable email address on file, and for periodically visiting the Product’s home page and this Policy to check for any updates. Answer Meets Expectations
2. Updates to this Privacy Policy
The date on which this Policy was last revised is identified at the top of this page. We will post any updates we make to this Policy from time to time on this page. If we make material changes to how we treat our Users’ Personal Information, we will notify our Customer by email and/or through a notice on the Product’s home page. Any changes will become effective when we post the revised Policy or, in the case of any material changes, provide the revised Policy to our Customer. The Customer is responsible for ensuring we have an up-to-date active and deliverable email address on file, and for periodically visiting the Product’s home page and this Policy to check for any updates.
Answer Meets Expectations
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Data Collected | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
DCQ1 - Do the policies list all data collected?
ANSWER: Policies list the data collected OR policies state no data is collected
User Notes:
8. The Types of Information We Collect
We limit our collection of Personal Information to no more than is reasonably necessary for the User at issue to experience our Products. Specifically, we collect the following types of information: 8.1. School Administrator Information: we collect registration information from a school administrator when the school administrator activates the school's subscription account, which may include the school administrator's own first and last name, business address and phone number, date of birth, email address, profile information and username; 8.2. Teacher Information: we collect registration information from a teacher or school administrator when the teacher (or school administrator) activates the teacher's account, which may include the teacher's first and last name, business address and phone number, date of birth, email address, profile information and username; additionally, we may collect information that constitutes Performance Review Data; 8.3. Student Information: we collect registration information from a teacher or school administrator when the teacher (or school administrator) activates the account of an individual student, which may include the student's first and last name, student ID numbers, email address, username and other information which may include gender, race, ethnicity and other demographic information, learning level and performance data. We may combine information about a student with information about his or her school, such as its location; 8.4. Student Parent/Guardian Information: we collect information about a student’s parent or guardian, such as names and email addresses, and we may associate it with the student’s information; 8.5. Schoolwork Information: we collect information contained in student homework, assignments, student compositions and reports, tests, test results, grades, and other exchanges over our Products; 8.6. School Administrator or Teacher submitted information: we collect information and content submitted by a school administrator or teacher, such as lesson plans and notes; 8.7. User-Generated Content: we collect information that students and other Users provide in connection with submitting user-generated content, and participating in collaborative features of our Products (where applicable). Examples of user-generated content that might contain Personal Information include notes, stories, responses to questions and teacher assignments (either in text, image, audio, or video format), responses to student’s submissions (either in text, image, audio, or video format), drawings that allow text or free-hand entry of information, activities, game play, assessments, and other information provided in open-text and open-form fields or posted to a bulletin board viewable by others. If a teacher chooses not to set individual passwords for his or her students’ accounts, then other students may be able to access an individual student’s notes or other work; 8.8. Usage Information: we collect usage, viewing, analytics, and technical data, including device identifiers and IP addresses, relating to Users of our Products; 8.8.1. For certain of our Products, the name and email address of an individual to whom a User wishes to send content from the Products. We use the information only to send the message, and we do not retain it. 8.8.2. Information about how, where, in a general sense (based on IP address), when, and for how long a User accesses and uses our Products, as well as what content they view, what actions they take (including, for example, clicks, touches, and hovers using a mouse), and how they navigate through our Products. We may use cookies, pixel tags, and other technologies to collect this information, as further explained in Section 10. 8.8.3. Information from and about the User’s device, such as mobile device type, browser type and version, operating system name and version, IP address, and referring URL. We collect this information automatically when a User accesses our services, to help us understand usage, diagnose problems, administer our Products, and provide support. If we discover that we have collected information in a manner inconsistent with the requirements of COPPA or FERPA, we will either (a) delete the information or (b) promptly seek requisite consents before taking further action concerning the information.
8. The Types of Information We Collect
We limit our collection of Personal Information to no more than is reasonably necessary for the User at issue to experience our Products. Specifically, we collect the following types of information:
8.1. School Administrator Information: we collect registration information from a school administrator when the school administrator activates the school's subscription account, which may include the school administrator's own first and last name, business address and phone number, date of birth, email address, profile information and username;
8.2. Teacher Information: we collect registration information from a teacher or school administrator when the teacher (or school administrator) activates the teacher's account, which may include the teacher's first and last name, business address and phone number, date of birth, email address, profile information and username; additionally, we may collect information that constitutes Performance Review Data;
8.3. Student Information: we collect registration information from a teacher or school administrator when the teacher (or school administrator) activates the account of an individual student, which may include the student's first and last name, student ID numbers, email address, username and other information which may include gender, race, ethnicity and other demographic information, learning level and performance data. We may combine information about a student with information about his or her school, such as its location;
8.4. Student Parent/Guardian Information: we collect information about a student’s parent or guardian, such as names and email addresses, and we may associate it with the student’s information;
8.5. Schoolwork Information: we collect information contained in student homework, assignments, student compositions and reports, tests, test results, grades, and other exchanges over our Products;
8.6. School Administrator or Teacher submitted information: we collect information and content submitted by a school administrator or teacher, such as lesson plans and notes;
8.7. User-Generated Content: we collect information that students and other Users provide in connection with submitting user-generated content, and participating in collaborative features of our Products (where applicable). Examples of user-generated content that might contain Personal Information include notes, stories, responses to questions and teacher assignments (either in text, image, audio, or video format), responses to student’s submissions (either in text, image, audio, or video format), drawings that allow text or free-hand entry of information, activities, game play, assessments, and other information provided in open-text and open-form fields or posted to a bulletin board viewable by others. If a teacher chooses not to set individual passwords for his or her students’ accounts, then other students may be able to access an individual student’s notes or other work;
8.8. Usage Information: we collect usage, viewing, analytics, and technical data, including device identifiers and IP addresses, relating to Users of our Products;
8.8.1. For certain of our Products, the name and email address of an individual to whom a User wishes to send content from the Products. We use the information only to send the message, and we do not retain it.
8.8.2. Information about how, where, in a general sense (based on IP address), when, and for how long a User accesses and uses our Products, as well as what content they view, what actions they take (including, for example, clicks, touches, and hovers using a mouse), and how they navigate through our Products. We may use cookies, pixel tags, and other technologies to collect this information, as further explained in Section 10.
8.8.3. Information from and about the User’s device, such as mobile device type, browser type and version, operating system name and version, IP address, and referring URL. We collect this information automatically when a User accesses our services, to help us understand usage, diagnose problems, administer our Products, and provide support.
If we discover that we have collected information in a manner inconsistent with the requirements of COPPA or FERPA, we will either (a) delete the information or (b) promptly seek requisite consents before taking further action concerning the information.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DCQ2 - Do the policies indicate how data is collected?
ANSWER: Policies state specifically how data is collected OR policies state no data collected
User Notes:
9. How We Collect Personal Information
Our Products collect Personal Information in several ways. School administrators and teachers provide Personal Information during the registration process. Teachers and students also submit Personal Information during the normal operation and support of our Products. They submit this information, for example, when creating and responding to teaching assignments and student submissions, and otherwise engaging in educational and other activities available on our Products. HMH also collects usage information through technology, such as cookies, as further explained in Section 10 below. 10. Cookies HMH collects usage information through technology, such as cookies, pixel tags, flash cookies, browser analysis tools, server logs, web beacons, and persistent identifiers. We use cookies, IP addresses, and other persistent identifiers to authenticate users in order to ensure that only authorized individuals are permitted access to our Products, and so that we can understand how a User engages with our Products, such as identifying what links are clicked and what content is accessed and for how long. This information allows us to improve our user interface and create a better product, such as by making commonly accessed content easier to reach or by more prominently displaying content that has been less frequently accessed. Certain features (or all features) of our Products may be hosted on third party sites, and in those instances the collection activities described above may be undertaken by this third party, under our direction and control and consistent with this Policy. Most information we collect using technological means is collected only in a non-identifiable way where no information that could be linked to an individual User is used, such as for website optimization and tracking website traffic patterns. If Personal Information is collected, this Policy governs how we use Personal Information.
9. How We Collect Personal Information
Our Products collect Personal Information in several ways. School administrators and teachers provide Personal Information during the registration process. Teachers and students also submit Personal Information during the normal operation and support of our Products. They submit this information, for example, when creating and responding to teaching assignments and student submissions, and otherwise engaging in educational and other activities available on our Products. HMH also collects usage information through technology, such as cookies, as further explained in Section 10 below.
10. Cookies
HMH collects usage information through technology, such as cookies, pixel tags, flash cookies, browser analysis tools, server logs, web beacons, and persistent identifiers. We use cookies, IP addresses, and other persistent identifiers to authenticate users in order to ensure that only authorized individuals are permitted access to our Products, and so that we can understand how a User engages with our Products, such as identifying what links are clicked and what content is accessed and for how long. This information allows us to improve our user interface and create a better product, such as by making commonly accessed content easier to reach or by more prominently displaying content that has been less frequently accessed.
Certain features (or all features) of our Products may be hosted on third party sites, and in those instances the collection activities described above may be undertaken by this third party, under our direction and control and consistent with this Policy. Most information we collect using technological means is collected only in a non-identifiable way where no information that could be linked to an individual User is used, such as for website optimization and tracking website traffic patterns. If Personal Information is collected, this Policy governs how we use Personal Information.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DCQ3 - Do the policies state who owns the data?
ANSWER: Policies state the user owns the data alone OR policies state no data collected
User Notes:
Ownership of User Content. Where applicable, certain features of a Platform (where applicable, "Interactive Features") provide Educators and Students the ability to create, upload or post User Content. We do not claim ownership in User Content. We expect each user of our Platforms to act responsibly, and to respect the rights of others. We seek to protect the integrity and security of our computing systems, and the right to protect our community of users from claims of intellectual property infringement and other claims or threats. Toward these ends, we reserve the right in our sole discretion (i) to monitor your use of the Platforms, and your User Content, (ii) to restrict or foreclose access to certain areas of the Platforms or other resources, and (iii) to take other actions we deem necessary to protect our community of users and our resources. To the extent User Content constitutes (in whole or in part) a Student Record, such Student Record shall be the property of and under the control of the School. For so long as a Student is a Platform User, the Student can obtain a copy of his/her User Content by using the download feature available through the Platform, or if such features are not available, by contacting us in accordance with Section 10 (Contact Us).
Ownership of User Content. Where applicable, certain features of a Platform (where applicable, "Interactive Features") provide Educators and Students the ability to create, upload or post User Content. We do not claim ownership in User Content. We expect each user of our Platforms to act responsibly, and to respect the rights of others. We seek to protect the integrity and security of our computing systems, and the right to protect our community of users from claims of intellectual property infringement and other claims or threats. Toward these ends, we reserve the right in our sole discretion (i) to monitor your use of the Platforms, and your User Content, (ii) to restrict or foreclose access to certain areas of the Platforms or other resources, and (iii) to take other actions we deem necessary to protect our community of users and our resources. To the extent User Content constitutes (in whole or in part) a Student Record, such Student Record shall be the property of and under the control of the School. For so long as a Student is a Platform User, the Student can obtain a copy of his/her User Content by using the download feature available through the Platform, or if such features are not available, by contacting us in accordance with Section 10 (Contact Us).
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DCQ4 - Do the policies allow users to delete their data entirely?
ANSWER: Policies allow users to delete data entirely after a period of time OR policies state no data collected
User Notes:
16. Our Retention and Deletion of Personal Information
We retain Personal Information of Users of our Products (i) for so long as reasonably necessary (ii) to permit the User to participate with the Products, (iii) to ensure the security of our Users and our services, or (iv) as required by law or contractual commitment. After this period has expired, upon written instruction by the Customer, we will delete the Personal Information from our systems. Please understand that these deletion periods apply only to Personal Information and do not apply to De-identified Information. We retain De-Identified information in accordance with our standard practices for similar information, and do not retain or delete such information in accordance with this Policy. In addition, if requested by a Customer, we will delete from our Products the Personal Information of the Customer's Users as the Customer directs. Deleting this information will prevent the User from engaging in some or all features of our Products. Where required by applicable law, we will delete such information and provide a certification of such deletion. 17. NY Parents' Bill of Rights for Data Privacy and Security The New York Parents' Bill of Rights for Data Privacy and Security (the “NY Privacy Bill of Rights”) addresses the relationship between schools and their third party contractors in addition to the schools' relationships with parents. The only elements of the NY Privacy Bill of Rights that are incorporated herein are those provisions directed to third party contractors (“Contractor Privacy Provisions”). HMH agrees to comply with the Contractor Privacy Provisions for Customers in the State of New York. In the event of a direct conflict between this Policy and the NY Privacy Bill of Rights, the NY Privacy Bill of Rights will control. The full text of the NY Privacy Bill of Rights is available at http://www.nysed.gov/data-privacy-security/bill-rights-data-privacy-and-security-parents-bill-rights.
16. Our Retention and Deletion of Personal Information
We retain Personal Information of Users of our Products (i) for so long as reasonably necessary (ii) to permit the User to participate with the Products, (iii) to ensure the security of our Users and our services, or (iv) as required by law or contractual commitment. After this period has expired, upon written instruction by the Customer, we will delete the Personal Information from our systems. Please understand that these deletion periods apply only to Personal Information and do not apply to De-identified Information. We retain De-Identified information in accordance with our standard practices for similar information, and do not retain or delete such information in accordance with this Policy.
In addition, if requested by a Customer, we will delete from our Products the Personal Information of the Customer's Users as the Customer directs. Deleting this information will prevent the User from engaging in some or all features of our Products. Where required by applicable law, we will delete such information and provide a certification of such deletion.
17. NY Parents' Bill of Rights for Data Privacy and Security
The New York Parents' Bill of Rights for Data Privacy and Security (the “NY Privacy Bill of Rights”) addresses the relationship between schools and their third party contractors in addition to the schools' relationships with parents. The only elements of the NY Privacy Bill of Rights that are incorporated herein are those provisions directed to third party contractors (“Contractor Privacy Provisions”). HMH agrees to comply with the Contractor Privacy Provisions for Customers in the State of New York. In the event of a direct conflict between this Policy and the NY Privacy Bill of Rights, the NY Privacy Bill of Rights will control. The full text of the NY Privacy Bill of Rights is available at http://www.nysed.gov/data-privacy-security/bill-rights-data-privacy-and-security-parents-bill-rights.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
DCQ5 - Do the policies state the retention of data?
ANSWER: Policies have a 60-day or less retention policy OR policies state no data collected
User Notes:
System Administrators have the ability to purge/remove data at their own discretion through the system software. In the event you wish for HMH to purge data, you can fill out an application for a purge form with the proper signitures and we will remove on your behalf.
16. Our Retention and Deletion of Personal Information We retain Personal Information of Users of our Products (i) for so long as reasonably necessary (ii) to permit the User to participate with the Products, (iii) to ensure the security of our Users and our services, or (iv) as required by law or contractual commitment. After this period has expired, upon written instruction by the Customer, we will delete the Personal Information from our systems. Please understand that these deletion periods apply only to Personal Information and do not apply to De-identified Information. We retain De-Identified information in accordance with our standard practices for similar information, and do not retain or delete such information in accordance with this Policy. In addition, if requested by a Customer, we will delete from our Products the Personal Information of the Customer's Users as the Customer directs. Deleting this information will prevent the User from engaging in some or all features of our Products. Where required by applicable law, we will delete such information and provide a certification of such deletion. 17. NY Parents' Bill of Rights for Data Privacy and Security The New York Parents' Bill of Rights for Data Privacy and Security (the “NY Privacy Bill of Rights”) addresses the relationship between schools and their third party contractors in addition to the schools' relationships with parents. The only elements of the NY Privacy Bill of Rights that are incorporated herein are those provisions directed to third party contractors (“Contractor Privacy Provisions”). HMH agrees to comply with the Contractor Privacy Provisions for Customers in the State of New York. In the event of a direct conflict between this Policy and the NY Privacy Bill of Rights, the NY Privacy Bill of Rights will control. The full text of the NY Privacy Bill of Rights is available at http://www.nysed.gov/data-privacy-security/bill-rights-data-privacy-and-security-parents-bill-rights.
System Administrators have the ability to purge/remove data at their own discretion through the system software. In the event you wish for HMH to purge data, you can fill out an application for a purge form with the proper signitures and we will remove on your behalf.
16. Our Retention and Deletion of Personal Information
We retain Personal Information of Users of our Products (i) for so long as reasonably necessary (ii) to permit the User to participate with the Products, (iii) to ensure the security of our Users and our services, or (iv) as required by law or contractual commitment. After this period has expired, upon written instruction by the Customer, we will delete the Personal Information from our systems. Please understand that these deletion periods apply only to Personal Information and do not apply to De-identified Information. We retain De-Identified information in accordance with our standard practices for similar information, and do not retain or delete such information in accordance with this Policy.
In addition, if requested by a Customer, we will delete from our Products the Personal Information of the Customer's Users as the Customer directs. Deleting this information will prevent the User from engaging in some or all features of our Products. Where required by applicable law, we will delete such information and provide a certification of such deletion.
17. NY Parents' Bill of Rights for Data Privacy and Security
The New York Parents' Bill of Rights for Data Privacy and Security (the “NY Privacy Bill of Rights”) addresses the relationship between schools and their third party contractors in addition to the schools' relationships with parents. The only elements of the NY Privacy Bill of Rights that are incorporated herein are those provisions directed to third party contractors (“Contractor Privacy Provisions”). HMH agrees to comply with the Contractor Privacy Provisions for Customers in the State of New York. In the event of a direct conflict between this Policy and the NY Privacy Bill of Rights, the NY Privacy Bill of Rights will control. The full text of the NY Privacy Bill of Rights is available at http://www.nysed.gov/data-privacy-security/bill-rights-data-privacy-and-security-parents-bill-rights.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Security | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
SECQ1 - Do the policies state how data is protected?
ANSWER: Policies list the steps taken to protect data or OR policies state no data collected
User Notes:
15. How We Protect Personal Information
We have implemented and maintain reasonable organizational, technical, administrative and physical security controls that are designed to protect the security, confidentiality and integrity of personal information collected through our Products from unauthorized access, disclosure, use, loss or modification. Our information security controls comply with reasonable and accepted industry practice, as well as requirements under COPPA and FERPA. We diligently follow these information security controls and periodically review and test our information security controls to keep them current. 15.1. Information Security Procedures. We will: Standard of Care. Keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, modification, or disclosure; Use for School Purposes Only. Collect, use, and disclose Personal Information solely and exclusively for the purposes for which Users provided to us the Personal Information, or access to it, and not use, sell, rent, transfer, distribute, modify, data mine, or otherwise disclose or make available Personal Information for our own purposes or for the benefit of anyone other than the Customer, without the Customer's prior written consent or as permitted by this Policy; Non-Disclosure. Not, directly or indirectly, disclose Personal Information to any person other than our employees and Our Service Providers who have a need to know, without express written consent from the Customer; Employee Training. Provide appropriate privacy and information security training to our employees. Transport Security. Use Transport Layer Security (TLS) for our transmission of all user data to and from our Products; and Secure Storage. Use industry standard file encryption for user data that is subject to protection under either COPPA, FERPA, or both. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment. 15.2. Data Location and Security. We use third party cloud service providers in the delivery and operation of our Product(s), and data (including Personal Information) is stored on the servers of our cloud service providers. Our contracts with our cloud service providers require them to implement reasonable and appropriate measures designed to secure content against accidental or unlawful loss, access, or disclosure. Our cloud service providers have at least the following security measures in place for their networks and systems: (i) secure HTTP access (HTTPS) points for customer access, (ii) built-in firewalls, (iii) tested incident response program, (iv) resilient infrastructure and computing environments, (v) ITIL based patch management system, (vi) high physical security based on SSAE-16 standards, and (vii) documented change control processes. To the extent we store personal information internally on our servers, we comply with the information security controls set out in Section 15.1. 15.3. Data Breach Response. In the event of a security breach involving Personal Information, we will take prompt steps to mitigate the breach, evaluate and respond to the intrusion, and cooperate and assist our Customer in their efforts with respect to (i) responding to the breach, including the provision of notices to data subjects; and (ii) engaging mutually agreeable auditors or examiners in connection with the security breach, subject to reasonable notice, access and confidentiality limitations.
15. How We Protect Personal Information
We have implemented and maintain reasonable organizational, technical, administrative and physical security controls that are designed to protect the security, confidentiality and integrity of personal information collected through our Products from unauthorized access, disclosure, use, loss or modification. Our information security controls comply with reasonable and accepted industry practice, as well as requirements under COPPA and FERPA. We diligently follow these information security controls and periodically review and test our information security controls to keep them current.
15.1. Information Security Procedures. We will:
Standard of Care. Keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, modification, or disclosure;
Use for School Purposes Only. Collect, use, and disclose Personal Information solely and exclusively for the purposes for which Users provided to us the Personal Information, or access to it, and not use, sell, rent, transfer, distribute, modify, data mine, or otherwise disclose or make available Personal Information for our own purposes or for the benefit of anyone other than the Customer, without the Customer's prior written consent or as permitted by this Policy;
Non-Disclosure. Not, directly or indirectly, disclose Personal Information to any person other than our employees and Our Service Providers who have a need to know, without express written consent from the Customer;
Employee Training. Provide appropriate privacy and information security training to our employees.
Transport Security. Use Transport Layer Security (TLS) for our transmission of all user data to and from our Products; and
Secure Storage. Use industry standard file encryption for user data that is subject to protection under either COPPA, FERPA, or both. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment.
15.2. Data Location and Security. We use third party cloud service providers in the delivery and operation of our Product(s), and data (including Personal Information) is stored on the servers of our cloud service providers. Our contracts with our cloud service providers require them to implement reasonable and appropriate measures designed to secure content against accidental or unlawful loss, access, or disclosure. Our cloud service providers have at least the following security measures in place for their networks and systems: (i) secure HTTP access (HTTPS) points for customer access, (ii) built-in firewalls, (iii) tested incident response program, (iv) resilient infrastructure and computing environments, (v) ITIL based patch management system, (vi) high physical security based on SSAE-16 standards, and (vii) documented change control processes. To the extent we store personal information internally on our servers, we comply with the information security controls set out in Section 15.1.
15.3. Data Breach Response. In the event of a security breach involving Personal Information, we will take prompt steps to mitigate the breach, evaluate and respond to the intrusion, and cooperate and assist our Customer in their efforts with respect to (i) responding to the breach, including the provision of notices to data subjects; and (ii) engaging mutually agreeable auditors or examiners in connection with the security breach, subject to reasonable notice, access and confidentiality limitations.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SECQ2 - Do the policies state all confidential & sensitive information is encrypted throughout?
ANSWER: Data encrypted throughout OR passes an encryption test with no vulnerabilities OR policies state no data collected
User Notes:
15. How We Protect Personal Information
We have implemented and maintain reasonable organizational, technical, administrative and physical security controls that are designed to protect the security, confidentiality and integrity of personal information collected through our Products from unauthorized access, disclosure, use, loss or modification. Our information security controls comply with reasonable and accepted industry practice, as well as requirements under COPPA and FERPA. We diligently follow these information security controls and periodically review and test our information security controls to keep them current. 15.1. Information Security Procedures. We will: Standard of Care. Keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, modification, or disclosure; Use for School Purposes Only. Collect, use, and disclose Personal Information solely and exclusively for the purposes for which Users provided to us the Personal Information, or access to it, and not use, sell, rent, transfer, distribute, modify, data mine, or otherwise disclose or make available Personal Information for our own purposes or for the benefit of anyone other than the Customer, without the Customer's prior written consent or as permitted by this Policy; Non-Disclosure. Not, directly or indirectly, disclose Personal Information to any person other than our employees and Our Service Providers who have a need to know, without express written consent from the Customer; Employee Training. Provide appropriate privacy and information security training to our employees. Transport Security. Use Transport Layer Security (TLS) for our transmission of all user data to and from our Products; and Secure Storage. Use industry standard file encryption for user data that is subject to protection under either COPPA, FERPA, or both. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment. 15.2. Data Location and Security. We use third party cloud service providers in the delivery and operation of our Product(s), and data (including Personal Information) is stored on the servers of our cloud service providers. Our contracts with our cloud service providers require them to implement reasonable and appropriate measures designed to secure content against accidental or unlawful loss, access, or disclosure. Our cloud service providers have at least the following security measures in place for their networks and systems: (i) secure HTTP access (HTTPS) points for customer access, (ii) built-in firewalls, (iii) tested incident response program, (iv) resilient infrastructure and computing environments, (v) ITIL based patch management system, (vi) high physical security based on SSAE-16 standards, and (vii) documented change control processes. To the extent we store personal information internally on our servers, we comply with the information security controls set out in Section 15.1. 15.3. Data Breach Response. In the event of a security breach involving Personal Information, we will take prompt steps to mitigate the breach, evaluate and respond to the intrusion, and cooperate and assist our Customer in their efforts with respect to (i) responding to the breach, including the provision of notices to data subjects; and (ii) engaging mutually agreeable auditors or examiners in connection with the security breach, subject to reasonable notice, access and confidentiality limitations.
15. How We Protect Personal Information
We have implemented and maintain reasonable organizational, technical, administrative and physical security controls that are designed to protect the security, confidentiality and integrity of personal information collected through our Products from unauthorized access, disclosure, use, loss or modification. Our information security controls comply with reasonable and accepted industry practice, as well as requirements under COPPA and FERPA. We diligently follow these information security controls and periodically review and test our information security controls to keep them current.
15.1. Information Security Procedures. We will:
Standard of Care. Keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, modification, or disclosure;
Use for School Purposes Only. Collect, use, and disclose Personal Information solely and exclusively for the purposes for which Users provided to us the Personal Information, or access to it, and not use, sell, rent, transfer, distribute, modify, data mine, or otherwise disclose or make available Personal Information for our own purposes or for the benefit of anyone other than the Customer, without the Customer's prior written consent or as permitted by this Policy;
Non-Disclosure. Not, directly or indirectly, disclose Personal Information to any person other than our employees and Our Service Providers who have a need to know, without express written consent from the Customer;
Employee Training. Provide appropriate privacy and information security training to our employees.
Transport Security. Use Transport Layer Security (TLS) for our transmission of all user data to and from our Products; and
Secure Storage. Use industry standard file encryption for user data that is subject to protection under either COPPA, FERPA, or both. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment.
15.2. Data Location and Security. We use third party cloud service providers in the delivery and operation of our Product(s), and data (including Personal Information) is stored on the servers of our cloud service providers. Our contracts with our cloud service providers require them to implement reasonable and appropriate measures designed to secure content against accidental or unlawful loss, access, or disclosure. Our cloud service providers have at least the following security measures in place for their networks and systems: (i) secure HTTP access (HTTPS) points for customer access, (ii) built-in firewalls, (iii) tested incident response program, (iv) resilient infrastructure and computing environments, (v) ITIL based patch management system, (vi) high physical security based on SSAE-16 standards, and (vii) documented change control processes. To the extent we store personal information internally on our servers, we comply with the information security controls set out in Section 15.1.
15.3. Data Breach Response. In the event of a security breach involving Personal Information, we will take prompt steps to mitigate the breach, evaluate and respond to the intrusion, and cooperate and assist our Customer in their efforts with respect to (i) responding to the breach, including the provision of notices to data subjects; and (ii) engaging mutually agreeable auditors or examiners in connection with the security breach, subject to reasonable notice, access and confidentiality limitations.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SECQ3 - Do the policies state whether or not it enforces strong password creation?
ANSWER: Supplier enforces strong password creation OR supplier user base exempt from password requirements or OR no account creation required
User Notes:
HMH strongly recommends that districts implement Single Sign on and defer to their SSO for policies on strength of username/password. HMH has basic platform login requirements such as number of characters in username/password and upper and lower case for different roles but defer to system administrators to own what they allow to be imported/managed to the system itself.
http://downloads.hmlt.hmco.com/Help/ImportMngmt/Administrator/index.htm#t=Passphrases.htm&rhsearch=passphrases&rhhlterm=passphrases&rhsyns=%20
HMH strongly recommends that districts implement Single Sign on and defer to their SSO for policies on strength of username/password. HMH has basic platform login requirements such as number of characters in username/password and upper and lower case for different roles but defer to system administrators to own what they allow to be imported/managed to the system itself.
http://downloads.hmlt.hmco.com/Help/ImportMngmt/Administrator/index.htm#t=Passphrases.htm&rhsearch=passphrases&rhhlterm=passphrases&rhsyns=%20
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SECQ4 - Do the policies indicate whether or not it leverages 2 step (or other forms of multifactor) authentication?
ANSWER: Supplier uses SSO or an LTI launch OR no account creation is required OR supplier user base exempt from 2-step authentication requirements
User Notes:
HMH strongly recommends that districts implement Single Sign on or LTI Launch and defer to their SSO for policies on strength of username/password.
HMH strongly recommends that districts implement Single Sign on or LTI Launch and defer to their SSO for policies on strength of username/password.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SECQ5 - Do the policies state the use of cookies?
ANSWER: Policies list all cookies used and each cookie's purpose OR policies state that it only uses cookies that are crucial for app functionality
User Notes:
10. Cookies
HMH collects usage information through technology, such as cookies, pixel tags, flash cookies, browser analysis tools, server logs, web beacons, and persistent identifiers. We use cookies, IP addresses, and other persistent identifiers to authenticate users in order to ensure that only authorized individuals are permitted access to our Products, and so that we can understand how a User engages with our Products, such as identifying what links are clicked and what content is accessed and for how long. This information allows us to improve our user interface and create a better product, such as by making commonly accessed content easier to reach or by more prominently displaying content that has been less frequently accessed. Certain features (or all features) of our Products may be hosted on third party sites, and in those instances the collection activities described above may be undertaken by this third party, under our direction and control and consistent with this Policy. Most information we collect using technological means is collected only in a non-identifiable way where no information that could be linked to an individual User is used, such as for website optimization and tracking website traffic patterns. If Personal Information is collected, this Policy governs how we use Personal Information.
10. Cookies
HMH collects usage information through technology, such as cookies, pixel tags, flash cookies, browser analysis tools, server logs, web beacons, and persistent identifiers. We use cookies, IP addresses, and other persistent identifiers to authenticate users in order to ensure that only authorized individuals are permitted access to our Products, and so that we can understand how a User engages with our Products, such as identifying what links are clicked and what content is accessed and for how long. This information allows us to improve our user interface and create a better product, such as by making commonly accessed content easier to reach or by more prominently displaying content that has been less frequently accessed.
Certain features (or all features) of our Products may be hosted on third party sites, and in those instances the collection activities described above may be undertaken by this third party, under our direction and control and consistent with this Policy. Most information we collect using technological means is collected only in a non-identifiable way where no information that could be linked to an individual User is used, such as for website optimization and tracking website traffic patterns. If Personal Information is collected, this Policy governs how we use Personal Information.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Third Party Data | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
SHRQ1 - Do the policies state the use of third parties?
ANSWER: Policies list each third party separately OR policies state third party use strictly for app functionality OR policies state that they do not use third parties
User Notes:
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service. Answer Meets Expectations
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.
Answer Meets Expectations
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SHRQ2 - Do the policies state what information is shared with each 3rd party?
ANSWER: Policies list the data it shares with each third party separately OR policies state that it does not share any data with any third party
User Notes:
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service. Answer Meets Expectations
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.
Answer Meets Expectations
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SHRQ3 - Do the policies state whether or not users can opt out of 3rd party data sharing?
ANSWER: Policies include an easy opt out process for users OR policies state that it does not share any data with any third party
User Notes:
No data is shared to 3rd parties if its not required for your purchase agreement.
14. Third Party Services We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.
No data is shared to 3rd parties if its not required for your purchase agreement.
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SHRQ4 - Do the policies state if the supplier requires 3rd parties to adhere to the terms of the vendor/customer agreement?
ANSWER: Supplier claims responsibility for third party privacy practices OR policies state that it does not share any data with any third party
User Notes:
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.
14. Third Party Services
We require Our Service Providers to agree in writing to terms that are no less restrictive regarding Personal Information that we share with them than the terms contained in this Policy. Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Products may link. The inclusion of a link in any of our Products does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
SHRQ5 - Do the policies state whether or not user is notified of a change in third parties?
ANSWER: Supplier changes third party and keeps the same data sharing terms OR supplier does not use any third parties
User Notes:
2. Updates to this Privacy Policy
The date on which this Policy was last revised is identified at the top of this page. We will post any updates we make to this Policy from time to time on this page. If we make material changes to how we treat our Users’ Personal Information, we will notify our Customer by email and/or through a notice on the Product’s home page. Any changes will become effective when we post the revised Policy or, in the case of any material changes, provide the revised Policy to our Customer. The Customer is responsible for ensuring we have an up-to-date active and deliverable email address on file, and for periodically visiting the Product’s home page and this Policy to check for any updates.
2. Updates to this Privacy Policy
The date on which this Policy was last revised is identified at the top of this page. We will post any updates we make to this Policy from time to time on this page. If we make material changes to how we treat our Users’ Personal Information, we will notify our Customer by email and/or through a notice on the Product’s home page. Any changes will become effective when we post the revised Policy or, in the case of any material changes, provide the revised Policy to our Customer. The Customer is responsible for ensuring we have an up-to-date active and deliverable email address on file, and for periodically visiting the Product’s home page and this Policy to check for any updates.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Advertising | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
ADVQ1 - Do the policies indicate if advertisements are displayed?
ANSWER: No ads are displayed
User Notes:
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
ADVQ2 - Do the policies indicate whether or not users are targeted for advertisement?
ANSWER: Policies guarantee no ad targeting OR Policies state no ads are used on its platform
User Notes:
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
ADVQ3 - Do the policies indicate whether or not any 3rd parties track or collect information for advertisement?
ANSWER: Policies state third parties are not used for ads or tracking
User Notes:
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
ADVQ4 - Do the policies indicate whether or not web beacons or other tracking methods are used for ad purposes?
ANSWER: Policies state that it only tracks interactions within its application OR policies state that it does not use any tracking technologies for ads
User Notes:
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
User Notes
User Notes
ADVQ5 - Do the policies state whether or not users can opt out of sharing data with advertisers?
ANSWER: Policies state in detail how users can opt out of sharing data with advertisers OR policies state no ads are used on its platform
User Notes:
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
Further, we do not use, or permit third parties to use, Personal Information collected through our Products for the purpose of targeted advertising.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
Vetting Context
Policies Cited
The following urls were cited as a basis for this information.
- Terms of Service/Terms of Use https://www.hmhco.com/terms-of-use-k12-learning-platforms
- Privacy Policy https://www.hmhco.com/prek-12-products-privacy-policy
- The person providing this information is also using the product.
- The supplier was reportedly consulted about this evaluation.
Geographical Context
(Laws and regulations can vary across regions)
Massachusetts
United States
Email Jim about this record
The views and opinions expressed in this information are those of the authors and do not necessarily reflect the official policy or position of 1EdTech. The information provided is intended to surface trends about the policies and procedures of systems leveraged by the educational community. It should not be considered legal advice.
Disclaimer:
1EdTech Trusted Apps
provides a vetting of a product's data policy according to the
1EdTech Trusted Apps Rubric.
Achieving the
TrustEd Apps Certified Seal
indicates adherence to a baseline level of privacy.
Institutions should review an application's detailed vetting results before approving it for use.
© Copyright 2025 1EdTech Global Learning Consortium Inc. All Rights Reserved.
App Vetting Rubric Version: 2