Security & Privacy at Seesaw UK/EU White Paper 2024
Table of Contents
02
Our Commitment to Privacy & Security GDPR Compliance Compliance with International Transfer Restrictions
03 04
Measures to Ensure Compliance with International Transfer Restrictions September 2024 investments in UK/EU data storage & performance Technical Best Practices
05
Industry Standards and 3rd Party Recognition Privacy Pledges and Frameworks
Our Commitment to Privacy & Security Your privacy is our TOP priority. 1. We never sell your data. 2. We follow 100% of industry privacy and security best practices. 3. We never advertise third-party products or services in Seesaw. 4. We do not own the content you add to Seesaw. 5. We are transparent about how we handle your personal data. For more details, visit our Privacy & Security center.
GDPR Compliance We know that using our platform means that schools and parents place a lot of trust in us when it comes to protecting the personal data of our users and, most importantly, children. We take that responsibility seriously and, no matter where we process or access personal data, it is treated in a manner that aligns with the General Data Protection Regulation and the UK’s implementation of the General Data Protection Regulation (collectively, the “GDPR”). Seesaw’s approach to data protection is 100% GDPR and UK GDPR compliant. As a certified participant in the EU-U.S. Data Privacy Framework (“DPF”) and the UK extension to the DPF (known as the “UK-U.S. Data Bridge”), Seesaw provides a GDPR compliant level of protection for personal data received from companies in the EU and UK.
Starting 1 September, 2024, all data and metadata associated with Seesaw accounts in the UK and the EU will be stored and processed locally in London, UK, resulting in significant performance improvements and additional security assurances for EU and UK customers.
Compliance with International Transfer Restrictions Like the majority of U.S.-based service providers and global businesses, we store data uploaded to the Seesaw Platform in the U.S. We are certified under the EU-U.S. DPF and the UK-U.S. Data Bridge. Transfers of personal data to participants in the DPF and UK-U.S. Data Bridge benefit, respectively, from an adequacy decision by the European Commission and UK adequacy regulations. This means that: • •
the way we treat personal data originating in the EU and UK is viewed by data protection regulators in the EU and UK as essentially equivalent to the standard guaranteed by the GDPR; and personal data can be uploaded to the Seesaw Platform and shared with Seesaw in the U.S. without additional safeguards and without running afoul of GDPR rules on international transfers.
Measures to Ensure Compliance with International Transfer Restrictions In addition to being a certified participant in the DPF and UK extension, the data processing agreement we enter into with schools includes standard contractual clauses approved by the European Commission, and the UK addendum to those standard contractual clauses. These agreements were used as the basis for transfers of personal data to us before the adequacy decision in respect of the DPF and UK adequacy regulations in respect of the UK-U.S. Data Bridge referred to above entered into force. We are in the process of updating our agreements following those decisions to rely primarily on our certification to the DPF as the basis for lawful transfers of personal data to us in the US under the GDPR. To help our customers with GDPR and UK-GDPR compliance, we also provide a pro-forma Data Processing Impact Assessment (DPIA) to save our EU and UK customers time and ensure they have the required documentation on file for GDPR compliance.
September 2024 investments in UK/EU data storage & performance We have heard from our customers that, while they understand that Seesaw is secure and compliant with international privacy laws, they desire a localized UK/EU version of the app. We listened, and we are making a major investment to tailor Seesaw directly to our customers in the UK/EU. Starting 1 Sept, 2024, all UK and EU-based customers will have all data stored and processed in London, UK, resulting in significant performance improvements and localized English and date/time formatting.
Technical Best Practices We adhere to security industry best practices to safeguard your data. • • •
We encrypt all customer data in transit (TLS 1.3) and at rest. We employ multi-factor authentication (MFA) for additional sign-in security, and all passwords are salted and hashed. Your data is stored in access-controlled data centers, operated by industryleading partners with 24/7 monitoring.
Industry Standards and 3rd Party Recognition Cyber Essentials Certification
3rd party certification that acknowledges that we have controls in place to protect against a wide variety of cyber attacks
ST4S Assessment We meet the required criteria in the ST4S framework, a privacy/security evaluation and assessment for AUS/NZ edtech tools.
Common Sense Privacy Evaluation We earned a Pass (highest rating) in a comprehensive 3rd party review of our privacy policy and procedures.
Privacy Pledges and Frameworks Data Privacy Framework We ensure data transfers to the US from the EU, UK, and Switzerland are GDPR compliant. In September 2024, all data and metadata will be stored and processed in London, UK for EU and UK customers
Student Privacy Pledge We’ve committed to student privacy safeguards that align with our principles
National Data Privacy Agreement We’ve signed the National Data Privacy Agreement (US) and many US State-Specific Privacy Agreements to streamline evaluation and approval.
Your privacy matters, and we continue to deeply invest in privacy & security to protect you, your students and families, and your educators. If you have any questions related to privacy, security, or compliance, please email privacy@seesaw.me or visit our Privacy Center.