2.1 Institutional Privacy Policy
2.1.1 Introduction
This policy outlines how StudentPulse collects, uses, and protects personal data specific to educational institutions, their staff, and students. This policy is in compliance with the General Data Protection Regulation (GDPR).
2.1.2 Data Collection
We know that you have concerns about the personal data you share with us. Our goal is to be transparent about what data we collect and how we use it.
We keep and use only personal data that you've provided directly, or when it's clear they were left for processing by us when provided. We may use the following types of data for the purposes set out in this Privacy Policy:
- Name (Only collected in education.studentpulse.io)
- Email address (Only collected in education.studentpulse.io)
- The way you navigate through our service (Data is not stored by us, instead we rely on Intercom to do it. Refer to Internal systems document)
- Statistics as to how you use the service (Data is not stored by us, instead we rely on Intercom to do it. Refer to Internal systems document)
We collect this data for the following purposes:
- To provide you with our services
- To personalise your experience with our services
- To send you important account information and updates
We obtain your consent when your organisation signs an agreement with us. You have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact us at [email protected]
If we suspect fraudulent or abusive behaviour related to the Studentpulse application, we may share your personal data with relevant authorities.
We will not disclose your personal data to third parties (other than listed in “Approved third party subprocessors” section) unless it is necessary to fulfil our agreement with you, or we are legally required to do so.
2.1.3 How we collect data
We collect customer data in two ways:
Data provided by our Customers: Upon signing contract with Studentpulse we will ask you to fill a document with email, first/last names and institutional units that users belong to. This is a crucial part to lay a foundation for your success at using Studentpulse.
Log Data monitoring: we collect log data whenever you access Studentpulse. This data include things like an IP address, browser type and version, the pages you visit on Studentpulse, and other user statistics. When you access Studentpulse with a mobile device, log data includes the type of device, your mobile unique ID, the IP address of your device, mobile operating system, and other mobile statistics.
2.1.4 Platform Users
- Data Collected: Full Name, Email Address, Password, Institutional information (which unit does the user belongs to)
- Purpose: To create user accounts and manage access to specific data (student feedback and check-in information). Email address and password is used for logging in the platform. Email address can be used to send transactional emails (e.g forgot password email). Data about user and organisational unit relationship is foundational information that you are required to have in order to use Studentpulse.
2.1.5 Students Providing Anonymous Feedback
- Data Collected: Anonymous feedback data, usage of self-help services
- Purpose: To analyze and improve the student experience and track the usage of self-help services.
2.1.6 Students Requesting Support
- Data Collected: Request for support
- Purpose: for educational institutions enabling StudentPulse’s “identification feature”, data classified as personal identifiable information will be collected. This includes the following types of personal data about data subjects (students):
- First name
- Last name
- Email address
- Phone number
- When using StudentPulse’s identification feature, a student registers his/her data directly in a StudentPulse Check-in. How the student’s data is processed will depend on the method desired by the educational institutions. StudentPulse currently offers three different ways of processing the data::
- Microsoft Teams webhook: uses a webhook to send the student’s data directly to a Microsoft Teams channel. Using this method data is NOT SENSITIVE STORED IN STUDENTPULSE SERVERS
- Mailersend mailpush: uses a Mailersend-integration to send the student’s data to one or more email addresses. Using this method data is NOT SENSITIVE STORED IN STUDENTPULSE SERVERS
- Education.studentpulse.io: stores the student’s data in the StudentPulse application. Note, that this method is only used when external integrator method fails. In that case Studentpulse will provide you student replies you in 72 hours and will delete data from the server.
- More information about the sub-processors can be found from the section “Data Sharing”.
- Purpose: To forward the student's request for support to the institution upon receiving consent. Note that the actual student Personal Data and consent is not stored by StudentPulse; it falls under the data privacy agreement between the institution and the student.
2.1.6.1 Terms and Conditions Add-on
- As a customer of StudentPulse’s identification feature the educational institution is the data controller, which means the institution is responsible for ensuring that the processing of the data stored in systems is in accordance with applicable laws.
- For a student to register the information the student should therefore accept terms and conditions that reflect how the educational institution will process his/her data. The terms and conditions are to be defined by the educational institution controlling and processing the data, however, it is recommended that terms and conditions include:
- A legitimate purpose for collecting and processing the student’s data.
- Information about how the student has his/her data deleted, corrected, or anonymized.
- Information about the student’s right to always withdraw his/her consent to processing their data.
- As an addition to that it is recommended that the terms & conditions accepted by the student include information about the sub-processor used when this student’s information is collected. Sub-processors used for the engage module are to be found from legal.studentpulse.io (section, “Third parties and sub-processors”), whereas the sections below briefly explains how a student’s information is handled for each of the methods of data collection:
- Microsoft Teams-integration: when your information is submitted it will be sent to a Microsoft Teams channel managed by [INST NAME] using an incoming webhook. The Microsoft Teams channel is handled by [CONTACT NAME].
- Send to email-integration: when your information is submitted it will be sent to [INST EMAIL] using a sub-processor, Mailersend. The email is managed by [CONTACT NAME].
- Store information in StudentPulse: when your information is submitted it will be stored on [INST NAME] StudentPulse account. The account is managed by [CONTACT NAME].
We collect the necessary data to provide a tailored experience for each user type. The data is collected through secure channels, ensuring the privacy and integrity of the information.
2.1.7 DAA initiative
We only partner with providers that are a part of DAA initiative. Our third-party partners may use cookies or other tracking technologies to provide you advertising on other sites based on your browsing activities and interests. You can find more information about these practices, including how to opt-out of receiving targeted advertising here: http://www.aboutads.info/choices/.
2.1.8 Data Usage
This section outlines how the collected data is utilized across different user roles and interactions within the StudentPulse platform. Whether you are a platform user (teacher, administrator, well-being staff, etc.) or a student interacting with our services, it's important to understand how your data is used to enhance your experience and fulfill our service commitments.
- Platform Users
- Account creation
- Data separation based on customer requirements
- Access control to specific data (student feedback and check-in information)
- Transactional emails sending
- Students Providing Anonymous Feedback
- To analyze and improve the student experience
- To track the usage of self-help services
- Students Requesting Support
- To forward the student's request for support to the institution
The data is used to enhance our platform's functionality and provide targeted services to our users.
2.1.9 Data Sharing (who do we share data with)
We take the confidentiality of your data seriously. Below are the specific ways in which data may be shared across different user roles and scenarios:
2.1.9.1 For Platform Users (Teachers, Administrators, Well-being Staff, etc.)
- Your data is stored securely on AWS. We use multiple services within AWS. However, all of the services that are used are hosted and accessible explicitly in Frankfurt, Germany. If a service suggests data transfer to improve service experience, we decided to opt out of that and choose to region lock and stay within Frankfurt.
Your data is not shared with any third parties, except as necessary for the provision of our services. For example, if your institution opts for a feature that requires integration with an external Learning Management System (LMS), some data may be shared with that LMS to enable the feature to work as intended. This sharing is done in a secure manner and is compliant with privacy regulations. Specifics regarding any such data sharing will be outlined in the Data Processing Agreement (DPA) between your institution and StudentPulse, should you require it.
2.1.9.2 For Students Providing Anonymous Feedback
- The anonymous feedback collected may be used for research, training AI models, and generating recommendations to improve student well-being. Importantly, any data used for these purposes will be fully anonymized and detached from any specific institution to maintain confidentiality.
2.1.9.3 For Students Requesting Support
- When a student requests support and consents to share this request, the data will be forwarded to the designated personnel at your institution. The consent for this data sharing is governed by the data privacy agreement between the student and your institution.
By using our platform, your institution acknowledges and agrees to these potential uses of fully anonymized and aggregated data for research and service improvement purposes, unless specified differently in the Data Processing Agreement (DPA) when we partner.
Please note that our use of third-party service providers may change over time. We will update this section of our privacy policy accordingly and notify you of any significant changes.
2.1.9.4 Third parties and sub-processors
Below you’ll find third-party providers used by StudentPulse to establish and maintain client relationships, work together internally, and build and maintain the platform. The list is updated continuously. All parties have signed data processing agreements limiting their usage.
We do not sell data to third parties and third parties are only allowed to process data in accordance with guidelines defined by StudentPulse.
All third parties are used to build and maintain the StudentPulse platform and/or to serve StudentPulse clients.
StudentPulse Core Applications
Sub-processors we use to develop and maintain the StudentPulse platform.
- Amazon Web Services
More info: https://aws.amazon.com/compliance/gdpr-center/
Data location: within EU (Frankfurt) - Mailersend
More info: https://www.mailersend.com/legal/how-mailersend-stays-gdpr-compliant
Data location: Ireland - Pusher
More info: https://pusher.com/legal-archived/data-protection/
Data location: Ireland - Sentry (Error tracking software, no user data is presented)
More info: https://sentry.io/trust/privacy/
Data location: Iowa, USA
StudentPulse Engage Applications
Sub-processors we use in StudentPulse if the platform is used by clients to identify students in need of 1:1-support.
All clients:
- Amazon Web Services (AWS)
More info: https://aws.amazon.com/compliance/gdpr-center/
Data location: within EU (Frankfurt)
Description: AWS is used to host and serve traffic to Engage module
Clients using “send student information to email”-feature:
- Mailersend (optional for Students if you chose to use this feature; but mandatory for users)
More info: https://www.mailersend.com/legal/how-mailersend-stays-gdpr-compliant
Data location: Ireland
Description: Mailersend is used to build reusable email templates and send emails ensuring high deliverability rates.
Clients using “send student information to Microsoft Teams”-feature: (optional for Students if you chose to use this feature)
- Microsoft Teams
More info: https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook?tabs=dotnet
Data location: Ireland
Description: Microsoft Teams webhook is used to send student information directly to a Microsoft Teams channel managed by the client.
2.1.10 Data Retention
2.1.10.1 Storage period
Personal data provided by you will be stored in your account until the account is terminated or removed. However, in certain cases, we may need to store your data for a longer period of time to comply with legal requirements.
If you share personal data with us via contact forms or email, we will retain the data for as long as necessary to provide a complete response or handle your request. Once the purpose of the data collection has been fulfilled, we will delete the information unless we are required by law to keep it for a longer period of time.
2.1.10.2 Students Providing Anonymous Feedback
Data from anonymous student feedback is retained indefinitely for statistical analysis and to improve our services.
2.1.10.3 Students Requesting Support
Only the request for support is stored, not any personal information. The request is forwarded to the institution, and the consent for this sharing falls under the data privacy agreement between the institution and the student.
2.1.11 Data Security (process and technology)
We take data privacy and secrecy very seriously in Studentpulse. Below you will find measures we take to keep your data secure.
Physical and environmental security | Access to the physical assets of StudentPulse, i.e. IT equipment is limited to employees at StudentPulse. Furthermore, select individuals related to cleaning and maintenance of the office. Each individual is issued an electronic key with an RFiD chip containing a serial code which has been paired with their name and personal information. All entrances to the premises are monitored by CCTV and the building in which StudentPulse resides has a guard on duty 24 hours a day, 7 days a week. Furthermore no assets are stored locally on our premises, but solely in the cloud where they are placed redundantly in data centres in Frankfurt, Germany |
Access control | The physical access to the office is controlled continuously. This means that as soon as an employment is terminated the physical and digital access is revoked. Furthermore, a digital access management based on the individual's position and their work has been put in place, ensuring employees only have access to information and material relevant to their work. All systems log the individual's use of them, and all users have individual access accounts allowing for detailed tracking of use, and more importantly potential abuse, of any information |
Data Transmission & Storage | Transfer of files and information conducted by StudentPulse employees follow specific guidelines for which information may be conveyed, and which systems this may be done through. These systems share the common trait of having passed the internal requirements from StudentPulse regarding security and traceability. |
Backup and restoring | All data is backed up at least once every 24 hours, and most of it is backed up continuously as changes are made. Furthermore, company policy dictates that no files are stored physically on a PC drive or similar, partially due to security risks, but also due to the risk of losing data. |
Encryption | The main systems utilized by StudentPulse here under, StudentPulse.io, G-suite, and Slack encrypt all data at rest with at least 128-bit AES |
Logging | All systems have a minimum log showing creation, updating and deletion of items or information. Furthermore all systems apart from the project management software Podio, has logging functions who have accessed a given information. To combat this, access management and information storage in Podio has been addressed. |
2.1.11.1 Vulnerability prevention
We outsource security checkup to third party provider. They run a security check once every 12 months . Company who does security audits - Qualys (https://www.qualys.com/). Qualys sends security reports and potential vulnerabilities, patches, etc. *PLEASE NOTE* Qualys does not have access to your data.
The premises utilised for processing of personal data, are equipped with access control systems and alarms. Camera surveillance is provided if it is deemed appropriate. This applies both to data centres. Logical access to personal data is restricted with the help of an authorisation system. Personal data here refers to the data of users accessing the StudentPulse platform on behalf of the client as we do not, by default, store personal data related to their students.
The security of your personal information is important to us. We maintain a variety of appropriate technical and organizational safeguards to protect your personal information. We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs. Further, we have implemented reasonable physical, electronic, and procedural safeguards designed to protect personal information about you. When you enter sensitive information (such as your password), we encrypt that information in transit using industry-standard Transport Layer Security (TLS) encryption technology. No method of transmission over the Internet, method of electronic storage or other security methods are one hundred percent secure.
- Platform Users
Studentpulse authentication system is based on RBAC. This allows use to only show resources that are available to particular user or it’s group. OWASP security checklist is being accomplished constantly.
- Students Providing Anonymous Feedback
Since the feedback is anonymous, there are no user data that can be hijacked. However, it is possible to input free text, so we have to take security measures here. Our system makes sure that SQL injection is not possible, XSS and CSRF attacks are mitigated. Anti bot/spam policies are installed so you can make sure your data is secured.
- Students Requesting Support
We make sure that students’ requesting support data is securely passed to right organizational unit. We do this by processing user input in the server instead of the client side. This makes sure that organizational unit gets right data without any spam/mailicious intent. Data is being validated, formatted and sent through the wire to our external integration partner.
2.1.12 User Access
- Platform Users
- Can change their name and password. For deletion requests, please contact [email protected]
- Students Providing Anonymous Feedback
- No personal data is collected, hence no access
- Students Requesting Support
- Students can withdraw their consent at any time by contacting Studentpulse’s DPO
2.1.13 Compliance
We comply with GDPR and adhere to the guidelines and principles set forth by the Danish Data Protection Agency.
2.1.14 Changes to privacy policy
We reserve the right to make changes to this statement at any time. If we make any material changes, we will notify you via email or other means of communication, and the updated statement will be effective immediately upon posting.
We encourage you to review this statement regularly to stay informed of any updates. By continuing to use our service after any changes have been made, you agree to the updated privacy statement.
2.1.15 DPO (Data protection officer)
We have appointed a Data Protection Officer (DPO) to oversee our data protection responsibilities and ensure that we are processing your personal data in accordance with applicable data protection laws and regulations.
Our DPO can be contacted by emailing [email protected]. If you have any questions or concerns regarding the processing of your personal data or would like to exercise any of your data subject rights as outlined in this Privacy Policy, please contact our DPO.
Our DPO's responsibilities include:
- Monitoring our compliance with applicable data protection laws and regulations;
- Providing advice and guidance on data protection matters to employees and other individuals whose personal data we process;
- Coordinating with regulatory authorities in the event of a data protection breach; and
- Serving as a point of contact for individuals whose personal data we process regarding any questions, concerns, or requests related to their personal data.
Please note that our DPO is not responsible for handling any customer service or technical support inquiries. If you have a question or concern that is unrelated to data protection or privacy matters, please use our live chat feature where our customer success team will be ready to help you.
2.1.A Data Processing Addendum
2.1.A.A Introduction
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between
Institution name:
Address:
Contact Person:
E-mail/phone:
Signature:
(the "Institution")
and
StudentPulse A/S
Nyhavnsgade 14, 4. 9000, Aalborg, Denmark
Company code: 42114952
Contact Person: Gorm Eriksen
E-mail/phone: [email protected] / +45 27150077
Signature:
(the "Data Processor")
(together as the "Parties")
WHEREAS, the Parties have entered into the Principal Agreement, under which the Data Processor provides certain services to the Institution;
WHEREAS, in the course of providing these services, the Data Processor may process personal data on behalf of the Institution;
WHEREAS, this Agreement aims to ensure that the Data Processor processes such personal data in compliance with the General Data Protection Regulation (GDPR) and any other applicable data protection laws;
This Agreement is an addendum to the Principal Agreement and becomes effective upon being signed by both Parties.
2.1.A.B Preamble
This Data Processing Agreement ("Agreement") serves as an addendum to the Principal Agreement between the Parties. The purpose of this Agreement is to outline the obligations and responsibilities of the Parties concerning the processing of personal data, as defined by the General Data Protection Regulation (GDPR) and any other applicable data protection laws.
The Data Processor is engaged in providing services to the Institution that involve the processing of personal data. The Parties acknowledge the importance of complying with their respective obligations under data protection laws, including but not limited to the GDPR.
The Parties agree that the Institution is the Data Controller and that the Data Processor will process personal data on behalf of the Data Controller in accordance with the terms set forth in this Agreement and the Principal Agreement.
This Agreement is intended to ensure that the Data Processor processes all personal data in compliance with the obligations placed on the Data Controller by data protection laws, thereby ensuring the lawful and secure processing of personal data.
2.1.A.C Definitions
- "Personal Data": Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- "Processing": Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Data Controller": The Institution that determines the purposes and means of the processing of personal data.
- "Data Processor": The entity that processes personal data on behalf of the Data Controller.
- "Data Subject": The identified or identifiable natural person to whom the personal data belongs.
- "GDPR": The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- "Sub-Processor": Any third-party appointed by or on behalf of the Data Processor to process personal data on behalf of the Data Controller in connection with this Agreement.
- "Principal Agreement": The Contract for Services between the Institution and the Data Processor, to which this Agreement serves as an addendum.
- "Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- "Data Protection Laws": All applicable laws and regulations relating to the processing of personal data and privacy, including the GDPR.
2.1.A.D Scope and Purpose
This Agreement applies to the processing of personal data carried out by the Data Processor on behalf of the Institution, as described in the Principal Agreement and this Data Processing Agreement.
Purpose of Data Processing
The primary purpose of data processing under this Agreement is to provide the Institution with services as described in the Principal Agreement, which include but are not limited to:
- Creating user accounts in the StudentPulse platform for Employees at the Institution
- Analyzing and improving the student experience.
- Tracking the usage of self-help services.
- Forwarding student requests for support to the Institution. (Optional feature)
Types of Personal Data and Anonymous Data
The Data Processor may process the following types of personal data on behalf of the Institution:
Employees that will access the StudentPulse platform as user:
- Full Name
- Email Address
- Password
Students that request for 1:1 support (when using StudentPulse’s identification feature)
- First name
- Last name
- Phone number
- Message: What does the request concern
The Data Processor may process the following types of anonymous data on behalf of the Institution:
- Student Experience feedback data (0-10 scores & explanation for the score)
- Usage of self-help services
Categories of Data Subjects
The categories of data subjects whose personal data may be processed include:
- Platform Users (teachers, administrators, well-being staff, etc.)
- Students providing anonymous feedback
- Students requesting 1:1 support
2.1.A.E Obligations of the Data Controller
- The Institution, acting as the Data Controller, shall have the following obligations:
- The Data Processor shall not process personal data for any other purpose or in any other way than as authorized by the Institution in this Agreement and the Principal Agreement.
- Lawfulness of Processing: Ensure that all personal data provided to the Data Processor for processing has been collected and processed in accordance with applicable data protection laws, including obtaining any necessary consents.
- Instructions: Provide clear and documented instructions to the Data Processor regarding the scope, purposes, and manner in which personal data is to be processed.
- Security Measures: Implement appropriate technical and organizational measures to ensure the secure processing of personal data, in collaboration with the Data Processor.
- Data Subject Rights: Facilitate the exercise of data subject rights under applicable data protection laws, including but not limited to the right to access, rectify, erase, or port personal data.
- Notification of Breach: Notify the Data Processor without undue delay upon becoming aware of any data breach affecting the personal data processed under this Agreement.
- Audits and Inspections: Reserve the right to conduct audits and inspections of the Data Processor's data processing activities to ensure compliance with this Agreement and applicable data protection laws.
- Sub-Processors: Approve or object to the Data Processor's use of sub-processors in accordance with the terms set forth in this Agreement.
- Data Protection Impact Assessment: Conduct any required Data Protection Impact Assessments (DPIAs) related to the services provided by the Data Processor, and consult with the Data Processor where necessary.
- Data Separation and Access Control: Ensure data separation based on Institution requirements and control access to specific data, in collaboration with the Data Processor.
2.1.A.F Obligations of the Data Processor
- The Data Processor, StudentPulse, shall have the following obligations:
- Anonymity and Data Minimization: The Data Processor shall collect student feedback 100% anonymously. No cookies, IP addresses, or similar identifiers shall be collected from students. When students request help, their personal details are not stored or logged; they are forwarded through the Data Processor's integration and deleted immediately.
- Security Measures: The Data Processor shall implement appropriate technical and organizational measures to ensure the secure processing of personal data.
- Data Breach Handling: In the event of a data breach, the Data Processor shall notify the Data Controller without undue delay, outlining the nature of the breach, the data affected, and the corrective actions taken.
- Use of Sub-Processors: The Data Processor shall not engage any sub-processors for the processing of personal data without the prior written consent of the Data Controller.
- Data Retention and Deletion: The Data Processor shall retain personal data of platform users only for the duration necessary to fulfill the purposes outlined in this Agreement and the Principal Agreement. All data shall be deleted in accordance with legal requirements and the Data Controller's instructions.
- Audits and Compliance: The Data Processor shall permit the Data Controller to conduct audits and inspections to ensure compliance with this Agreement and applicable data protection laws.
- Assistance to Data Controller: The Data Processor shall assist the Data Controller in facilitating the exercise of data subject rights under applicable data protection laws, including but not limited to the right to access, rectify, erase, or port personal data.
- Employee Data Security: The Data Processor shall take special care in securing the personal data of employees who have access to the platform, in accordance with best practices and legal requirements.
2.1.A.G Data Subject Rights
- Access to Data: Institution users such as teachers and counselors have the right to access the platform to view the data collected about them.
- Data Deletion: All personal data about users in the platform will be deleted 6 months after the termination of the Principal Agreement.
- Data Subject Requests: Any requests for data deletion must be directed to the Data Processor's Data Protection Officer at [email protected]. The Data Processor will consult with the Data Controller before taking any action on such requests.
- Institutional Obligations: The Data Processor acknowledges an obligation to consult the Data Controller before deleting any data to ensure compliance with legal or contractual requirements.
- Student Data: As student data is collected anonymously, there is generally no need for deletion requests. However, if students accidentally include personal data, they can refer to the student section of the Data Processor's legal website to contact the Data Protection Officer for deletion.
- Information on Rights: Data subjects are informed of their rights through the Privacy Policy available at legal.studentpulse.io. Additionally, students are informed about the Privacy Policy at the first page of the check-in.
2.1.A.H Security Measures
Physical and Environmental Security
- Access to StudentPulse's physical assets, including IT equipment, is strictly limited to employees and a select group of individuals related to maintenance and cleaning. This ensures a controlled environment to prevent unauthorized access.
- Each authorized individual is issued an electronic key embedded with an RFiD chip that is paired with their name and personal information, enhancing the security of physical access.
- The premises are monitored by CCTV cameras, and a security guard is on duty 24/7, providing an additional layer of security against unauthorized access, damage, and interference.
- All data assets are securely stored in cloud data centers located in Frankfurt, Germany, ensuring that no sensitive information is stored locally and is protected against loss, damage, or theft.
Access Control
- Access control measures are in place to revoke both physical and digital access immediately upon the termination of an employee's contract, minimizing the risk of unauthorized access.
- A role-based digital access management system ensures that employees only have access to information and systems that are relevant to their specific job functions.
- All systems are equipped with logging capabilities that track individual usage, thereby making it possible to monitor and identify any unauthorized or inappropriate access to information.
Data Transmission & Storage
- StudentPulse utilizes Amazon Web Services (AWS) for hosting its infrastructure. AWS's security best practices checklist guides the development and maintenance of our systems, ensuring robust security measures.
- Our data storage centers are located within the European Union and hold ISO 27001 and ISO 20000 certifications, offering an additional assurance that your data is handled with the utmost security.
Backup & Restoring
- All critical data is backed up at least once every 24 hours, and most data is backed up continuously as changes occur, safeguarding against data loss.
- Company policy dictates that no files are to be stored physically on local drives, reducing both security risks and the risk of data loss.
Logging
- All systems have extensive logging functions that record events such as data creation, updating, and deletion, providing a transparent and traceable record of activities.
Encryption
- All data at rest in our main systems, including StudentPulse.io, G-suite, and Slack, is encrypted using at least 128-bit AES encryption, ensuring the confidentiality and integrity of the data.
Control Activities
- Security audits are conducted twice a year to test both digital and physical compliance, ensuring that our security measures are up-to-date and effective.
- All new employees undergo comprehensive training in data security and management as part of their onboarding process.
- For any data protection concerns, our Data Protection Officer can be reached at [email protected], ensuring a direct line for data protection inquiries.
Vulnerability Prevention
- Security audits are outsourced to a third-party provider, Qualys, which conducts checks once every 12 months. Qualys provides reports on potential vulnerabilities but does not have access to your data, maintaining confidentiality.
2.1.A.I Sub-processors
General Provisions
This section outlines the sub-processors specifically used for the processing of personal data. For details on the types of personal and anonymous data processed, please refer to Section 4 of this Data Processing Agreement.
Sub-processors for Personal Data
Amazon Web Services (AWS)
Data Location: Within the EU (Frankfurt)
Purpose: Hosting and secure storage of personal data.
Compliance: GDPR-compliant
DPA with StudentPulse: AWS Data Processing Agreement
Mailersend (Optional)
Data Location: Ireland
Purpose: Optionally used for sending emails related to 1:1 student support requests.
Compliance: GDPR-compliant
More Info: Mailersend GDPR Compliance / DPA
Microsoft Teams (Optional)
Data Location: Ireland
Purpose: Optionally used for sending student support requests directly to a Microsoft Teams channel managed by the client.
Compliance: GDPR-compliant
Note: If you choose to use Microsoft Teams, please include this within your DPA for your Microsoft Partnership.
2.1.A.J Data Transfers
- StudentPulse does not engage in cross-border data transfers of personal data outside the European Economic Area (EEA). All data is stored and processed within data centers located in the EU, in compliance with GDPR regulations.
2.1.A.K Notification of Personal Data Breach
General Obligations
- This section outlines the procedures and responsibilities of both parties in the event of a personal data breach.
Reporting to Supervisory Authority
- The Data Controller has the obligation to report any personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, if possible, within 72 hours of discovering the breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons.
Communication to Data Subject
- The Data Controller is obligated to communicate the personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Impact Assessment
- The Data Controller is obligated to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
Consultation with Supervisory Authority
- The Data Controller is obligated to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment indicates that the processing will lead to a high risk in the absence of measures taken to mitigate the risk.
Notification by Data Processor
- Upon discovering a personal data breach at the Data Processor’s or a sub-processor’s facilities, the Data Processor shall notify the Data Controller without undue delay. This notification should, if possible, occur within 24 hours to enable the Data Controller to comply with their reporting obligations to the supervisory authority within 72 hours.
Assistance by Data Processor
- In accordance with this Data Processing Agreement, the Data Processor shall assist the Data Controller in reporting the breach to the supervisory authority. This assistance may include providing information on:
- The nature of the personal data breach
- The probable consequences of the personal data breach
- Measures taken or proposed to manage the personal data breach
2.1.A.L Audits and Inspections
- The Data Controller reserves the right to conduct audits to verify the Data Processor's compliance with this Data Processing Agreement and all applicable laws and regulations. Such audits may include the examination of records, systems, and procedures related to the processing of personal data.
- The Data Controller shall provide reasonable notice to the Data Processor before conducting any audit. The Data Processor shall facilitate such audits within a mutually agreed timeframe.
- If the Data Controller chooses to use a third-party auditor, the auditor must be mutually agreed upon by both parties.
- All findings, reports, and information obtained during the audit shall be considered confidential and shall not be disclosed to third parties without the written consent of both parties.
- The Data Controller shall bear all costs associated with the audit.
2.1.A.M Duration and Termination
- This Data Processing Agreement shall remain in effect for the duration of the Principal Agreement between the Data Controller and the Data Processor, unless terminated by either party in accordance with the terms herein.
- The Agreement may be terminated by mutual written agreement between both parties or if either party is in material breach of its obligations and fails to remedy such breach within a reasonable period after receiving written notice.
- Upon termination, the Data Processor shall either return all personal data to the Data Controller or securely destroy all copies, as directed by the Data Controller, unless legal obligations require the retention of the data.
- Each party shall bear its own costs associated with the termination of this Agreement.
2.1.A.N Liabilities and Indemnities
- Data Breaches: The Data Processor commits to implementing appropriate security measures in compliance with GDPR. In the event of a data breach, the Data Processor will notify the Data Controller and the relevant supervisory authority within 72 hours. Liability for breaches will be assessed based on the Data Processor's adherence to legal security standards.
- Misuse of Data: The Data Processor will use personal data solely for the purposes explicitly stated in this DPA and in alignment with GDPR. Liability for misuse of data will be limited to instances where the Data Processor intentionally deviates from the terms of this DPA and GDPR regulations.
- Third-Party Actions: The Data Processor will ensure that all third-party services used for data processing are GDPR compliant. Liability for third-party actions will be limited to cases where the Data Processor has failed to conduct due diligence in confirming GDPR compliance.
- Regulatory Compliance: The Data Processor will adhere to all GDPR regulations. Failure to comply due to factors beyond the Data Processor's control will not result in liability. However, intentional non-compliance or negligence may subject the Data Processor to fines and legal action.
- Limitation of Duty of Care: The Data Processor's platform is not a substitute for professional medical or psychological care. While the Data Processor does not have a "duty of care" to intervene in severe mental health issues, it will adhere to the terms of this DPA and GDPR in handling sensitive data. Liability in such contexts will be limited to cases of intentional misconduct or gross negligence.
2.1.A.O Miscellaneous
Privacy Policies: This Data Processing Agreement should be read in conjunction with the following privacy policies, which provide further details on how personal data is collected, processed, and stored:
For Institutions: legal.studentpulse.io
For Students: legal.studentpulse.io