Information Technology Security Standards

Last Updated: July 28, 2023

Purpose.

Information security is central to the operations of Wilson Language Training Corporation (“WLT,” “we,” “us,” or “our”). These Information Technology Security Standards (the “IT Standards”) were created to inform our customers, users, and parents of users of our Digital Products regarding our current practices for protecting the security of student data and educator data.

Scope.

These IT Standards relate to our provision of Digital Products to educators and administrators (“Educators”), to schools or school districts who purchase our Digital Products on behalf of their Educators (“Schools”), and to the students whose information we may receive from Educators, who are typically students in K-12 or beyond (“Students”). For information about our privacy practices in relation to our Digital Products, please visit our Digital Products Privacy Statement, available at https://wilsonlanguage.com/digital-products-privacy-statement.

Definition.

As used in these IT Standards:

Customer” refers to either: (i) Schools, or; (ii) an individual Educator when they purchase Digital Products licenses directly from us for their own use (e.g., when an educator provides freelance tutoring).

Customer Data” refers, collectively and individually, to Educator Data and/or Student Data.

Digital Products” refers, collectively and individually, to FUN HUB®, Virtual Implementation Services (VIS), and/or Wilson Academy.

Educator Data” refers to information about an Educator that, either alone or in combination with other reasonably available information, can be used to identify the Educator.

Student Data” refers to any personally identifiable information of a Student, as that term is defined under the Family Educational Rights and Privacy Act (FERPA).

User” refers to users of our Digital Products.

User Access.

Use of an account and a password is required to access our Digital Products. We do not offer Users, including Students, any way to login to our Digital Products through social media tools.

Access to Data.

Access to Customer Data is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. Our employees with access to Customer Data will receive training on data privacy prior to receiving access and on an annual basis thereafter. All employees must sign a confidentiality agreement before they join the company, and background checks are conducted as part of the onboarding process. We conduct phishing and social-engineering awareness testing and education for our employees. Third parties with access to Customer Data are bound by applicable laws and contractual obligations of confidentiality and privacy to maintain Customer Data in a secure and confidential manner.

Storage and processing.

For any Customers located in the United States, Student Data is stored in the United States. We maintain strict administrative, technical, and physical procedures to protect Customer Data stored in our servers, which are located across Tier 1 data centers that are logically and physically separated locations. Our hosting provider implements security measures in accordance with industry standards.

Encryption.

We use industry-standard TLS 1.2 encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files. Data is encrypted during transmission and at rest.

Device Controls.

We encrypt all of our employee laptops, and those devices are centrally managed and covered by anti-virus protections which are updated periodically. Laptops are password protected.

Data Retention and Destruction.

Upon the written request of a Customer, we will remove Student Data and/or Educator Data from our production servers when we will no longer be providing access to the Digital Products to the Customer. We reserve the right, in our sole discretion, to remove Student Data and/or Educator Data for a particular customer from our production servers following a reasonable period of time after our relationship with a Customer has ended, as demonstrated by the end of contract term or Customer’s lack of activity within the Digital Products. We do not knowingly retain Student Data beyond the reasonable period of time required to support Customer’s educational purpose, unless authorized by the Customer. Student Data is removed from backups in accordance with our data retention standards.

Unauthorized Disclosure.

If there is any disclosure or access to any personally identifiable Student Data by an unauthorized party that compromises the security, confidentiality, or integrity of the Student Data, we will promptly notify the affected Customer(s) consistent with applicable laws, and we will use reasonable efforts to cooperate with their investigation of the incident.

Third-Party Audit and Testing.

In addition to internal controls on data security, we contract with an independent third-party auditor to conduct annual security audits on our IT infrastructure and the Digital Products, which includes penetration testing. We review the findings and implement the recommended updates where practical and appropriate. Third parties are not provided with direct access to student data in performing the services.

Updates.

We review these IT Standards on an annual basis and make updates from time to time, for example, to reflect changes in the law and our practices, and to provide more clarity on our practices. When we make any changes, we will provide notice by updating the “last updated” date at the top of these IT Standards indicating when it was last revised. Please reach out to Legal@wilsonlanguage.com with any questions.