Grant Compliance
      Back to home
      1. PocketLab Support
      2. Grant Compliance

      PocketLab Notebook Data Security Plan

      Overview

      At PocketLab, we prioritize the security and privacy of all users, including educators, students, and institutions. This document outlines our data security practices, detailing how we protect personal information, ensure compliance with applicable laws, and respond to security incidents.

      Data Collection and Usage

      PocketLab collects minimal Personally Identifiable Information (PII) necessary for users to access and utilize the PocketLab Notebook platform. The PII collected may include names and email addresses, particularly for account creation and user authentication. We ensure that all data collected complies with relevant laws, including the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA).

      For educational institutions, PocketLab serves as a "School Official" under FERPA, which means we handle student data in a manner consistent with these regulations. PocketLab will only use personal data as directed by the institution. 

      Data Security Measures

      PocketLab employs robust security measures to protect the data of our users:

      • Encryption: All data transmitted between users and the PocketLab platform is encrypted using SSL over HTTPS. Additionally, data at rest is secured with industry-standard encryption techniques.
      • Access Controls: Access to user data is restricted to authorized personnel within PocketLab, and such access is governed by strict internal policies and procedures. Our platform is hosted on a secure cloud environment (Amazon Web Services) that utilize advanced Identity and Access Management (IAM) tools to manage and monitor access.
      • Password Security: User accounts are protected by strong, encrypted passwords. We encourage users to choose robust passwords and maintain their confidentiality. Sharing of accounts is prohibited, and users are responsible for any activity that occurs under their accounts.

      Data Retention and Deletion

      PocketLab retains user data for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws. Student data may be deleted upon request from an educational institution or upon the expiration of a specific retention period, in compliance with FERPA and COPPA regulations. If an account remains inactive for an extended period, PocketLab reserves the right to delete the data associated with that account.

      Response to Security Incidents

      PocketLab is committed to promptly addressing any security incidents that may arise:

      • Incident Identification: Any potential security threats or breaches will be immediately investigated to determine their scope and impact.
      • Containment and Resolution: Once a security incident is identified, we will take immediate steps to contain and resolve the issue, including closing any vulnerabilities and mitigating any risks associated with the breach.
      • Notification: In the event of a data breach that compromises user information, PocketLab will notify the affected users and institutions as required by law. This notification will include details about the breach, the data involved, and the steps taken to address the issue.

      Compliance and Legal Obligations

      PocketLab adheres to all applicable laws and regulations concerning data protection and privacy. Our practices are designed to ensure compliance with FERPA, COPPA, and other relevant legislation. We regularly review our policies and procedures to maintain compliance and address any changes in legal requirements.

      User Responsibilities

      Users are responsible for maintaining the security of their account credentials and for any activities conducted through their accounts. PocketLab advises users to monitor their accounts regularly and report any suspicious activity to support@thepocketlab.com immediately.

      Contact Information

      For questions or concerns about PocketLab’s data security practices, users can contact us at support@thepocketlab.com. PocketLab is committed to safeguarding user data and maintaining the highest standards of security and privacy.

      ---

      This Data Security Plan reflects PocketLab’s commitment to protecting the privacy and security of all users and their data.

       

      _____________

      Addendum: New York State Education Law §2-d and Part 121 Compliance

      This Addendum supplements the PocketLab Notebook Data Security Plan and outlines how PocketLab complies with the requirements of New York State Education Law §2-d, Part 121 of the Commissioner’s Regulations, and applicable guidance from the New York State Education Department (NYSED).

      Note that Principal or Teacher Data as defined under Section 2-d (quoted below) is not applicable to this service, since we do not collect it.

      “Teacher or Principal Data” refers to personally identifiable information contained in the records of an educational agency that relates to the annual professional performance reviews of classroom teachers or principals. This information is confidential and is not subject to release under Section 3012-c of this chapter.

      1. Safeguards to Protect Personally Identifiable Information (PII)

      PocketLab implements administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of student, teacher, and principal personally identifiable information (PII), including:

      • Encryption of data in transit (HTTPS/SSL) and at rest.
      • Role-based access controls.
      • Strong authentication measures and secure account management.
      • Internal access controls based on the principle of least privilege.
      • Secure infrastructure hosted on leading cloud providers with built-in security features.

      2. Alignment with the NIST Cybersecurity Framework

      PocketLab has adopted a cybersecurity posture that is partially aligned with the NIST Cybersecurity Framework (NIST CSF). Specifically:

      • Identify: Risk and asset management practices are in place.
      • Protect: Encryption, access control, and employee training are implemented.
      • Detect: System monitoring and alerting processes are operational.
      • Respond: An incident response process is maintained to handle threats.
      • Recover: Backup and recovery capabilities support business continuity.

      PocketLab is committed to evolving its practices toward full alignment.

      3. Employee Training

      All PocketLab employees, contractors, and any authorized parties with access to PII receive mandatory training on applicable data privacy laws, including:

      • FERPA (Family Educational Rights and Privacy Act)
      • COPPA (Children’s Online Privacy Protection Act)
      • Cybersecurity awareness and general best practices to safeguard personal data

      4. Subcontractor Oversight

      PocketLab may engage subcontractors to fulfill its obligations. Any subcontractor that receives, stores, processes, or transmits PII is:

      • Bound by a written agreement that ensures compliance with FERPA, COPPA, and NY Ed Law §2-d.
      • Restricted from using PII for any unauthorized purpose.
      • Subject to data privacy and security reviews.

      PocketLab ensures that subcontractor access is limited and controlled in accordance with applicable law.

      5. Incident Response and Breach Notification

      PocketLab maintains an incident response plan that addresses:

      • Identification, containment, and investigation of incidents involving unauthorized access or disclosure of PII.
      • Prompt notification to the educational agency
      • Documentation of each incident and remediation steps.

      6. Data Return, Transition, or Destruction

      Upon expiration or termination of a contract with an educational agency, PocketLab will, at the direction of that agency:

      • Permanently delete or destroy the data using secure and industry-accepted deletion practices.

      PocketLab will certify the completion of the data disposition process if requested.

      7. Use and Disclosure Restrictions

      PocketLab adheres to the following requirements:

      • Does not use or disclose student PII for marketing or commercial purposes.
      • Does not sell PII under any circumstances.
      • Does not disclose PII to any third party without prior written consent, except as legally permitted and required to fulfill contracted services.
      • Limits internal access to PII to only those individuals who need it to perform their job duties.

      8. Parent Bill of Rights

      PocketLab acknowledges and agrees to comply with the New York State Education Department’s Parent Bill of Rights for Data Privacy and Security. This Addendum shall be read in conjunction with that Bill of Rights and all applicable contractual obligations.