Terms of Service

 

MiniPD is a product made available by ManageBac LLC, and throughout the document references will be made to both MiniPD and ManageBac and this relationship is defined in section 1.1 below..

All services and facilities provided through it are provided subject to the following terms and conditions. The Terms of Service, Terms of Use, Privacy Policy, Service Level Agreement and EU-US Privacy Shield notice and other documents published on the https://www.faria.org/minipd/terms page on each of the Websites (the “Terms and Policies”) govern your use of each website. We limit our liability to you in our Disclaimer at paragraph 1.5 and elsewhere below.

A copy of the Terms & Policies is available for download here.

1. Preliminary

1.1 Definitions

MiniPD is a brand within ManageBac LLC 548 Market St. #40438, San Francisco, CA 94104 USA and its subsidiaries, affiliates, successors or assigns “ManageBac”, “we,” “us,” or “our,” the operators of the Website.

“Member” refers to an individual authorised to use the Website and/or the Service by a School or as an individual, whether a member of staff of a School, a User, or a Student.

“Membership” means an individual’s licence (User) to access our service and associated login information (such as a login email and password), as authorised.

“Service” refers to the services provided through any of our Websites.

“School” refers to a school, school district, or institution, which are one of the primary account subscribers to the Service.

“User(s)” means a user invited to use the Service by a School or as an Individual for their own purpose and for this agreement the term “User” and “School” have the same meaning for End User liabilities and may be inter-changeable throughout the document.

“Websites” means our websites at minipd.com, managebac.com, openapply.com, onatlas.com, rubiconatlas.org, schoolsbuddy.net, the SchoolsBuddy iOS app, the SchoolsBuddy android app, SchoolsBuddy Asia (iOS and Android), clubsbuddy.net, commsbuddy.net, pamojaeducation.com and oxfordstudycourses.com. Use of the term “Website” below means the one or more of our Websites, those which you are a User/Member, and/or use and access.

1.2 Terms. These Terms of Service should be read as a whole with the other Terms and Policies, and provide the exclusive terms of the relationship between ManageBac and (1) Schools, (2) Members, (3) Users other users of the Website, and (4) any other users. With the exception of a valid signed written agreement between a School and ManageBac, nothing outside the terms published in our Terms and Policies shall constitute part of any agreement between ManageBac and you relating to your use of the Service. Any previous version of these Terms and Policies is superseded by these Terms and Policies. These Terms and Policies govern any Scope of Services Agreement signed between the School and ManageBac.

1.3 Subject to Change. We reserve the right to update and change our Terms of Service on 14 days’ notice. Any new features that augment, enhance, or change the current Service, including the release of new tools and resources, shall be subject to our Terms of Service. Continued use of the Service after any such changes shall constitute consent to such changes. Our current version of the Terms of Service is available at the Terms and Policies page of our respective Websites.

1.4 Violations. Violation of any of these terms by you may result in the termination of (1) your account and/or denial of your ability to access the Websites without notice, and/or (2) the account of the School on 14 days’ notice in writing. ManageBac reserves the right to bar use of the Service by any person or entity that has violated the Terms of Service at any time.

1.5 Disclaimers. To the full extent permitted by law, you agree to use the Service on an “as is” basis and understand that ManageBac is not responsible for prohibiting or regulating in any way any information or data provided or transmitted by the Website (“Content“), or provided or transmitted by you or any other person. You confirm and agree that ManageBac shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses. This is regardless of whether ManageBac has been advised of the possibility of such damages, whether or not resulting from: (i) the use or the inability to use the Service; (ii) the unauthorized access to or alteration of your transmissions or data; (iii) statements or conduct of any third party on the Service; (iv) termination of your account; and/or (v) any other matter relating to the Service.

1.6 ManageBac does not warrant that the Service will meet your specific requirements or that the Service will be uninterrupted or error-free. We shall not be liable for and make no warranties in relation to the Website or its functionality, Content or capabilities of the Website, to the fullest extent that such liabilities can be excluded by law.

1.7 Content. We provide all information on our Website free of any access charge other than our charges to Schools. The information provided on our Website is provided on the basis that we accept no liability for any of the information published.

1.8 All Users shall:

1. Ensure that information contained in anything uploaded to ManageBac is accurate and does not breach any third parties’ rights including trade mark, database right, copyright or other intellectual property rights nor is libelous, obscene, menacing, threatening, radicalising, bullying, offensive, abusive, fraudulent, pornographic, criminal nor infringes the rights of other people such as privacy rights or is in any way illegal or unlawful;
2. Verify the accuracy of any information before sending it to us; and

iii. Ensure that information provided on the Website complies with all applicable laws and, by posting information, agrees to indemnify us in full on request and continue to indemnify us on request against any claim or liability arising in connection therewith.

1.9 ManageBac reserves the right to reject any information published to the Website without notice.

1.10 Any views expressed in messaging facilities after you login are not those of ManageBac.

1.11 We make no statement and provide no warranty that Content is accurate, up to date or complete and we accept no liability for any loss or damage caused by anything inaccurate or misleading which without limitation, may contain statistical data which may have inaccuracies or errors. If you find that information on the Website is not accurate, please inform your School in the first instance to have information corrected.

1.12 Nothing in these terms and conditions shall exclude or limit our liability for fraud, personal injury or death caused by our negligence, or for any other liability which cannot be excluded or limited under the laws of State of Delaware or under English law (as per clause 9.5 below). Other than the foregoing, all warranties, guarantees or benefits implied or provided by law are excluded to the fullest extent possible and with an absolute limitation of liability capped at the value of the School’s annual subscription fees.

1.13 If any agreements or arrangements are made by you with any third party as a result of your use of the Website, they are and remain entirely at your own risk.

1.14 Security. You will ensure at all times that (1) you do not share your designated password with any other person, (2) you maintain active and effective security measures to protect the integrity and security of your and our computer systems. You will be responsible for loss and damage suffered by us where any third party abuses the services using your login details and/or computing environment, including hardware and software.

1.15 Privacy. The privacy of information submitted to or transmitted through the service is governed by our Privacy Policy, which is published at each of our Websites. 

1. Where the user is a School, they are responsible for having and communicating a data privacy policy for staff.

 

1.16 All disputes between the parties arising out of or relating to these terms or the breach, termination or validity thereof shall be referred by either party in writing, first to each party’s representative. The representatives shall meet and attempt to resolve the dispute within a period of thirty (30) working days from the date of referral of the dispute to them.

2. Services

2.1 Each of our Websites describes the Services which are available. For more information please refer to the specific Website for details of the services available.

2.2 Generally speaking, our services revolve around providing Users with online access to professional learning content and activities.

4. Payment Terms

4.1 The Service is provided on an annual basis. Schools are invoiced in advance on an annual basis for use of the Service, and Schools shall make payment to ManageBac net 30 days from the invoice date. The payments are in consideration of the creation, deletion, modification and maintenance of users, and the license to use the Service. ManageBac will not pay any refund or credit if the School terminates or suspends use of the Service before the end of any prepaid period. Each payment is non-refundable.

4.2 Accounts are automatically renewed for successive periods equal to the Initial Term, (each a “Renewal Term”) as detailed in the Scope of Services Agreement, SOW, Services Agreement or Framework Agreement. In the absence of a signed agreement detailing the Initial Term, accounts are automatically renewed on an annual basis on the anniversary of the services start date as detailed on our invoice. Notice of termination must be received in writing 45 days in advance of the end of the then current term in order to terminate at the end of the current term. For the avoidance of doubt, the current term is the Initial Term, or any subsequent Renewal Term which has started.

4.4 Users are solely responsible for any and all duties, taxes, levies or fees (including any sales, use or withholding taxes) imposed on or in connection with payment for Services provided by ManageBac.

4.5 Without prejudice to any other rights or remedy that it may have, if the User fails to pay ManageBac on the due date for payment of any undisputed invoice, ManageBac may:

1. suspend all Services until payment has been made in full; and/or
2. charge interest on any delinquent amounts owed by Users to ManageBac from the due date at a rate equal to the lesser of i) two (2%) per month or ii) the maximum legal interest rate chargeable per month until payment is made, whether before or after any judgment.

4.6 For any multi-year discount to be enjoyed, 2-year or 3-year Annual Services Fee payments must be received in full on or before the Commence Date of Services.

4.7  For individual MiniPD users, payment is due at time of purchase of content, or booking of a coaching session.  

4.8 Any Non-Recurring Prepayment for MiniPD services, as set out in the Pricing Schedule, will be invoiced before each Year in which the services will be performed, and must be paid before the prepaid amount is available to be used in the MiniPD platform.

4.9 Any Non-Recurring Services are valid for one year, and expire at the end of the Year specified in the Pricing Schedule.

4.10 The pricing structure for Annual Service Fees for Recurring Services is based on total faculty numbers. The School is requested to provide the current number of faculty on an annual basis in order to calculate the fees for the following year. ManageBac reserves the right to increase the price of Annual Service Fees each year, however any increase that is due to changes to pricing, and not related to student enrolment numbers, will be limited to 5% or less per annum. Where multi-year payments of 2-year or 3-year Annual Service Fees have been received in full, on or before the Services Start Date, any changes to Services’ pricing structure will not be applied during this 2-year or 3-year period, as applicable.

5. Cancellation and Termination

5.1 It is your sole responsibility to notify us that you wish to cancel your account. This can be done by emailing us at [email protected] with the subject line “Cancellation Request”. We will require written and telephone confirmation of a cancellation request from a User as this will affect the accounts of all Users associated with an Individual User or School.

5.2 All Content associated with the School and its Users will be unavailable to Users from the time we are instructed to process the cancellation request. As a convenience, we can continue to make the Content available for a period after cancellation of up to 3 months. All Content associated with Users, including (and not limited to) all Content related to the School, data related to Students, contact information, database records will be irrecoverably deleted within 18 months of notification of termination of the Service by the School.

5.3 Subject to 4.3 above, where the User cancels the Service more than forty-five (45) days before the end of the then current term and full payment has been received, the cancellation may take on any date before the end of the then current term, as requested by the User in writing, and the User will not incur any further charge.

5.4 We may terminate the Service to a User upon 180 days’ notice in writing for our own convenience.

5.5 Violation of these Terms of Use. Schools are responsible for the use of the Service by employees. Misuse of the Service, by any individual, may result in permanent and/or temporary suspension or termination of the School’s account (at ManageBac’s sole discretion) without notice if problems are not addressed to the satisfaction of ManageBac.

5.6 ManageBac reserves the right to refuse the Service to anyone in its own unfettered discretion.

5.7 In case of termination for any reason, ManageBac shall either (i) return all content, data etc in a readable (PDF or Excel) format or (ii) provide the School with the features to do so themselves, provided that ManageBac shall not be required to return or delete all or part of the content, data, etc that it is legally permitted to retain.

6. Modifications to the Service and Prices

6.1 Prices of all plans, including but not limited to annual subscription fees to the Service, are subject to change without notice.

6.2 ManageBac shall not be liable to you or to any third party as a result of any modification, price change, suspension or discontinuance of the Service, loss of data, or any consequence thereof whatsoever.

7. Copyright and Content Ownership

7.1 Unless otherwise stated below, ManageBac owns all intellectual property rights vesting in the Website.

7.2 ManageBac owns the intellectual property rights to all content commissioned for use in the MiniPD platform or in any affiliate product family, wherever so used.

7.3 ManageBac does not claim intellectual property rights to content published by individual coaches in the MiniPD platform or in any affiliate product family and offers no liability or  indemnity for their use. 

7.4  Individual coaches are solely responsible for ensuring that they own the copyright for content published by them in the MiniPD platform or in any affiliate product family.  ManageBac reserves the right to remove content published by coaches that is deemed inappropriate, that is plagiarized, or found offensive by members of the ManageBac or MiniPD Learning Community. 

7.5 Any hypertext links to other sites, which appear on the Website are operated by third parties and use of such a link means you are leaving the Website. We are not responsible for, and give no warranties, guarantees or representations in respect of linked sites or information upon them.

7.6 “ManageBac”, “OpenApply”, “Atlas”, “AtlasNext”, “SchoolsBuddy”, “ClubsBuddy”, “CommsBuddy”, “SummerStart”, “BookJetty”, “Pamoja Education”, “Oxford Study Courses”, “Pamoja Online Courses” “Pamoja Lesson Suite” and “MiniPD” and our logos are trade names of Faria Education Group Ltd. You may not use these names or similar variants without our written consent.

8. Indemnification

8.1  To the maximum extent permitted by law, the School and Users jointly and severally agree to hold harmless and indemnify ManageBac, and its parent companies, subsidiaries, affiliates, officers, agents, and employees from and against any third party claims arising from or in any way related to use of the Service or Website, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys’ fees, of every kind and nature. In such a case, ManageBac will provide the School and Users with written notice of such claim, suit or action.

9. General Conditions

9.1 You may not assign or transfer your rights or licences granted under this Agreement. ManageBac may assign, sub-contract or sub-let this Agreement or any part thereof.

9.2 In the event that any (or any part) of these terms, conditions or provisions shall be declared invalid, unlawful or unenforceable such terms (or parts), conditions or provisions shall be severed. The remaining terms (or parts), conditions or provisions shall continue to be valid and enforceable to the fullest extent permitted by law.

9.3 You understand that the technical processing and transmission of the Service, including Content, may occur in an unencrypted form if SSL is not enabled on your computer, and result in transmissions over the Internet, which may be intercepted by others. Loss of SSL may also result from changes in transmissions between networks to conform and adapt to technical requirements of connecting networks or devices. Please look for the SSL notification in the address bar of your browser to ensure that SSL is active during your session.

9.4 If the bandwidth associated with a School exceeds 200 GB in a single month, or significantly exceeds the expected bandwidth allocation for the number of Users associated with the School (as notified by ManageBac (from time to time), we reserve the right to (1) cap file or image hosting until the School reduces its bandwidth consumption, and/or (2) raise further invoices for your additional bandwidth requirements.

9.5  These Terms of Service will be governed by and construed in accordance with (i) the laws of the State of Delaware, without giving effect to its conflict of laws provisions if you are resident in USA or Canada, or (ii) English law if you are resident in the European Economic Area or elsewhere. Non-contractual claims shall be governed by the same system of law. Any claims, legal proceedings or litigation arising in connection with the Service will be brought solely in Wilmington, Delaware, and you irrevocably submit to the jurisdiction of its Courts.

10. Questions & Contact Information

Any questions about this Terms of Service agreement should be addressed to [email protected]; or by mail to:

ManageBac, LLC.

548 Market St. #40438,

San Francisco,

CA 94104 USA;

+1 866 297 7022.

MiniPD Refund Policy

Coaching Session Refund Policy

We will offer a 100% refund if you meet one of the following conditions:

• If your coaching session request is declined by the coach, or expires (not confirmed by the coach in time), 
• If your coaching session is confirmed but later cancelled by the coach, 
• If your coaching session is confirmed but later cancelled by you, prior to 120 minutes from the session start time. 

In the event of you cancelling the coaching session within 120 minutes of the scheduled start time, the prepaid fee for the coaching session will not be refunded.

All refunds will be made directly back to the original method of payment.

Course Purchase Refund Policy

All course purchases are final, and no refund is available for course purchases.

Terms of Use

Use of this website ManageBac.com and all authorized services and facilities provided through it or in relation to it by any User, School or other institution shall be according to our Terms and Policies. 

1. Preliminary

1.1.These Terms of Use are intended to be read as a whole with the other documents published at https://www.managebac.com/terms. Terms used below are defined in our Terms of Service.

1.2.To use the Service you must:

1. be at least 13 years of age;

b.Provide your legal full name, a valid email address, and any other information requested in order to complete the account registration process, and keep them up to date if your circumstances change.

1. Maintain the security of your account and password;
2. Observe proper security practices on your local computer and/or devices used to access the Service, including using up to date virus protection and a firewall, and other reasonable security measures as may be reasonable in the circumstances which you access the Service. We are not liable for any loss or damage resulting from your failure to comply with your security obligations.
3. Be a human, please. Accounts registered by “bots” or screen scrapers and/or other automated means are not permitted and access will be terminated without notice.

1.3. One person may not have more than one membership.

1.4. You may not use the Service for any illegal or unauthorized purpose. See our Terms of Service for more information.

2. Cancellation and Termination

2.1.You as a User or your School may at any time cancel your access to this Website. When your access is cancelled, all of your Content and personal information will be deleted from our Service within 18 months.

2.2. Your School may at any time cancel its account with us, and we may cancel your School’s account with 180 days’ notice. In the event your School’s account is cancelled for any reason, your content will be deleted without notice to you. Please make sure you keep copies of all of the information published to the Website relating to you, whether or not you upload it yourself.

3. Questions & Contact Information

Any questions about this Terms of Use agreement should be addressed to [email protected] or by mail to:

ManageBac, LLC

548 Market St. #40438,

San Francisco,

CA 94104 USA.

+1 866 297 7022

Global Privacy Notice

 

As a leading provider of integrated education systems, the privacy and security of individuals about whom we process personal data is critical to us. This Global Privacy Notice (“notice”) explains how we manage and protect your personal data (referred to as “data”) when you visit our website (“Visitor”) or use our learning platform services either as a representative of a School to which we provide services (“School User”) or a User which uses our services (a “Service User”). If you are a Service User, for the majority of personal data we process about you, we are a processor and therefore act on behalf of you or your  school and as directed by them. If you are associated with a School we recommend that you review your school’s privacy notice to understand how your school manages your personal data.

This notice tells you who we are, what data about you we collect in connection with our website and services, and what we do with it.

To learn more about our approach to privacy law compliance and data security more broadly, please visit our GDPR page here.

Who are we?

ManageBac LLC (“ManageBac”, “we, “us”) is part of Faria Education Group. ManageBac is a Curriculum First Learning Platform for the world’s leading international schools. Founded in 2006, we serve over 700,000 students and 2,600 schools in 120 countries providing integrated systems to enhance efficiency in schools. We are responsible for managing your data in connection with our services.

Details of how to contact us can be found below at Who should you contact with questions?

What data about you do we collect?

We use various types of data about you for purposes connected with the management of our website or the delivery of our learning platform services.

Visitor

We may collect and process the following information about you in order to:

• provide you with our website or services
  We will collect and process the information you provide to us if you register for a demonstration, trial account, blog or webinar, which includes your name, email address, phone number, school name, information regarding the curriculums your school offers and other information collected to provide the website or services. We will also process your name and email address to send you email messages about our newsletters, product updates and other marketing materials. We will only send you such email messages as permitted under applicable law and in line with your marketing preferences which you can update at any time as described below.
• We will collect information through cookies, including analytics information about your use of our website and information about your device, internet connection, browser, location, page and search terms used, etc. Learn more about how we use cookies and similar technologies in our cookies policy
• Process a job application which you submit to us. We will collect and process any personal data you provide in your CV / resume and cover letter.

School User

We may collect and process the following information in order to provide your school with our learning platform services:

• your name, title, business telephone number, details about the school you represent, details about your position at the school (e.g., subjects you teach or how long you have worked at the school) and e-mail address used during our registration process in order to communicate with you in relation to the provision of learning platform services to your school.
• responses to our surveys you choose to take.
• your email address to send email marketing to you, including our newsletters and updates as permitted under applicable law and in line with your preferences.
• details of your interactions with us when you contact us with enquiries through our online customer support, or via telephone or email.

Service User

We may collect and process the following information:

• information captured in your student account, provided by you or your parents including information such as your name, email address, nationality, date and place of birth, gender, language, national ID, and parents’ names and contact details, in order to conduct statistical analyses for our own reporting.
• email address in order to request survey responses or feedback from you in relation to future product developments and educational plans.
• feedback and responses to our surveys you choose to take.
• details of your interactions with us when you contact us with enquiries through our customer support system online, or via telephone or email.

For what purposes do we use data about you, and on what legal basis?

Throughout your use of our website and/or our provision of services to you or a school, we use data about you for various purposes.

The purposes for which we use data about you, with corresponding legal basis for use, are set out below:

Visitors

Purpose	Legal basis for processing
Management of our website e.g. site maintenance and analytics of website usage (which will include the sharing of data with Google Analytics).	It is our legitimate business interest to manage and develop our website.
Fulfilment of online services e.g. registering for a demonstration, webinar, blog or trial account.	We process your data in order to provide you with the online service which you have requested. Our processing is based on your consent.
Marketing e.g. to send you marketing emails relating to product updates and other services we think you may be interested in	We either rely on your consent or our legitimate business interest to send email marketing to you depending on how we collected your personal data and the nature of our relationship. Any email marketing will only be sent to you as permitted by applicable law and in accordance with your preferences which you can update at any time as described below.
Legal & regulatory compliance and compliance with law enforcement requests	In some instances, we will be required by law to process your personal data and share it with law enforcement or other government or regulatory bodies. We may also choose to do so in other circumstances, in accordance with our legitimate interests.
Processing a job application e.g. if you apply for a job or position via our website	If you decide to apply for a job with us, we will process your personal data on the basis of our legitimate interests in order to ascertain your suitability for the job.

 

School Users

Purpose	Legal basis for processing
Customer support activities e.g. interacting with you via our online customer support or by phone, e-mail	It is our legitimate business interest to provide customer support to School Users in order to provide the learning platform services to schools.
Provision and management of learning platform services to school e.g. managing requests, curriculum standards, managing user accounts, submitting a PO, handling invoices, etc.	It is our legitimate business interest to provide and manage the learning platform services we provide to schools.
Marketing e.g. to send you marketing emails relating to product updates other services we think you may be interested in	We either rely on your consent or our legitimate business interest to send email marketing to you depending on how we collected your personal data and the nature of our relationship. Any email marketing will only be sent to you as permitted by applicable law and in accordance with your preferences which you can update at any time as described below.
Sharing data with other third parties Please see “Who do we share data with and for what purpose?” below.	It is our legitimate business interest to share data with third parties to assist with the purposes described below.
Legal and regulatory compliance and compliance with law enforcement requests	In some instances, we will be required by law to process your personal data and share it with law enforcement or other government or regulatory bodies. We may also choose to do so in other circumstances, in accordance with our legitimate interests.

 

Service Users

Purpose	Legal basis for processing
Conducting statistical analyses for reporting e.g. to conduct data analyses that enables us to improve and develop our services	It is our legitimate business interest to improve our learning platform services through the use of statistical analyses and reporting.
Customer support activities e.g. interacting with you via our online customer support or by phone or e-mail	It is our legitimate business interest to provide customer support to Service Users.
Feedback and surveys e.g. to request survey responses or feedback from you in relation to future product developments and educational plans	It is our legitimate business interest to gather feedback and survey results to improve user experience and develop improved services. We store this data in anonymised form.
Sharing data with other third parties Please see “Who do we share data with and for what purpose?” below.	It is our legitimate business interest to share data with third parties to assist with the purposes described above
Legal & regulatory compliance and compliance with law enforcement requests	In some instances, we will be required by law to process your personal data and share it with law enforcement or other government or regulatory bodies. We may also choose to do so in other circumstances, in accordance with our legitimate interests.

Please note that we do not process any special category data about you (e.g., information of race or ethnicity) for our own purposes. You may be requested to provide such information by your school which may be passed to us for processing but we do not use it for any other purpose.

In some instances, we may use personal data about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such us and consent if required. You should read any supplemental notice in conjunction with this notice.

 Who do we share your data with, and for what purposes?

We share data across our Group for various purposes such as:

• Customer support activities (e.g. our online support or contacting us via our e-mail or telephone) may be undertaken by our offices in China, Taiwan, UK, Canada or the US depending on your school’s location and the time of the day of your inquiry. Schools in India will be supported primarily by our representatives in India, or in other offices outside of China, depending on the time of inquiry.
• Management of learning platform services (e.g. bulk process requests, importing curriculum standards, importing users) will be processed in the United States of America, United Kingdom, China, Taiwan or Ukraine. Schools in India will be supported primarily by our team members in India, or in other offices outside of China, depending on the time of inquiry.
• Billing inquiries (e.g. submitting a PO, handling invoices, etc.) will be processed by our offices in the United Kingdom, Hong Kong and Taiwan. Schools in India will be supported in India, or by other teams outside of China.
• System usage and platform hosting is provided from our offices in Canada (unless you are based in China or the USA in which case it will be done in the country in which you are based).

 

Sharing data with third parties

• If you are a Service User, we will share data with education partners as instructed to do so by your school such as exam awarding bodies for exam registration, moderation and coursework submission or integration partners, such as other school systems providers, as instructed by your school.
• We may share data about you with our third-party service providers, such as IT providers or customer support services. A list of our Subprocessors can be found here
• We may share anonymised data, feedback and survey results with third-party service providers, such as other school systems for research purposes.
• We may share data about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials;
• We may share data when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal purpose; and
• We may share data in the context of organisational restructuring

If you would like to learn more about the parties with which we share data, please contact us using the details below at Who should you contact with questions.

Where might your data be processed?

As with any multinational organisation, and as a result of the global nature of our services, we are often required to transfer data internationally as described above. Accordingly, data about you may be transferred both within our Group and to third parties internationally.

These countries may not have the equivalent data protection standards to the country in which you provided your data. We will ensure that we implement appropriate data transfer mechanisms to protect your personal data. If data is transferred outside the EU, we will only transfer such data on the basis of a European Commission adequacy decision, Binding Corporate Rules or, the EU Model Clauses (Standard Contractual Clauses).

If you would like to receive a copy of the information relating to the safeguards we put in place, please contact us using the details below at Who should you contact with questions?

How do we protect your data?

Faria Education Group is certified to the ISO27001:2022 standard and implements appropriate technical and organisational measures to protect personal data that we hold from unauthorised disclosure, use, alteration or destruction. Our standard protocols include:

Application security: traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross site scripting, SQL injections, phishing and others.

Network security: firewalls and systems to detect suspicious behaviour, stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).

Organisational security: access policies, audit logs and confidentiality agreements.

Physical security: preventing unauthorized access to infrastructure processing personal data.

Procedural security: IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.

How long will data about you be kept?

The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested the deletion of the data, and whether any legal obligations require the retention of the data (for example, for regulatory compliance).

We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected.

What rights do you have over your data?

Depending on where you are resident, you may have some or all of the following rights under applicable law in respect of data about you which we hold:

• request us to give you access to it, and have us provide you with a copy of any data we hold about you
• request us to rectify or update it
• request us to erase it in certain circumstances
• request us to restrict our using it, under certain circumstances
• object to our using it, in certain circumstances
• withdraw your consent to our using it, where our processing is based on consent
• data portability, in certain circumstances
• opt out from using it for email marketing. You may opt out by clicking on the unsubscribe link in the email marketing messages we send you or by contacting us as set out below and we will always comply with this request; and
• lodge a complaint with the supervisory authority in your country (if there is one).

 

You can exercise these rights, or learn more about them, by contacting us using the details below at Who should you contact with questions?

We may be required to confirm your identity before we action any request from you in connection with your data. This may involve asking you to provide identification documents.

Who should you contact with questions?

If you have any questions, or wish to exercise any of your rights, then you can contact our Data Protection Officer at [email protected].

If your country has a supervisory authority, you have a right to contact it with any questions or concerns. If we cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.

Changes to this notice

We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.

Last modified on 23rd March, 2021

GDPR Privacy & Data Protection Addendum

 

1. INTRODUCTION

“Data Protection Requirements”: as applicable: (i) the Data Protection Act 2018, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) or equivalent legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003, Directive 2002/58/EC of the European Parliament (the ePrivacy Directive) and all other applicable laws (including judgments of any relevant court of law) and regulations relating to the processing of personal data, data privacy, electronic communications, marketing and data security, in each case as amended, extended or re-enacted from time to time and all orders, regulations, statutes, instruments or other subordinate legislation made thereunder in any jurisdiction from time to time; and (ii) the guidelines, recommendations, best practice, opinions, directions, decisions, codes of practice and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time in relation to the processing of personal data, data privacy, electronic communications, marketing and data security.   

“Cross-Border Processing” or “School Personal Data Transfers” means any communication, copying or transmission of School Personal Data to a Third Country.

“School Personal Data” means any personal data processed or transferred by the School to ManageBac in relation to the Services  Agreement and in connection with the Services.

“Third Country” means any country that is not in the European Union or which has not been recognised by the European Commission as providing an adequate level of protection for personal data under the Data Protection Requirements.

1.1. For the purpose of this Services Agreement, including this Privacy and Data Protection Annex, personal data and the terms process, data subject, data controller, controller, data processor, processor, subprocessor, personal data breach and supervisory authority shall have the meanings given to them in the applicable Data Protection Requirements.

1.2. The Parties acknowledge that the School is the data controller and ManageBac is the data processor of School Personal Data.

1.3. The School remains solely liable for upholding data subject’s rights in relation to the processing of such School Personal Data under the Services Agreement, specifically their rights of access, right to request rectification and/or erasure and if necessary the right to object to processing, and the School shall promptly notify ManageBac of any request relating to the same received from a data subject.

1.4. Each Party warrants that it shall comply with all of its obligations under the Data Protection Requirements which arise in connection with the Services, or either party’s performance of its obligations, and that it shall not, in respect of any School Personal Data processed, do any act or make any omission which puts the other party in breach of its obligations under the Data Processing Requirements.

1.5. The School shall ensure that it has all necessary consents from data subjects or that another legal basis is satisfied under the Data Protection Requirements in order for ManageBac’s processing of School Personal Data to comply with the Data Protection Requirements, including without limitation, processing for the purposes of providing international education systems for curriculum planning, assessment, reporting & admissions and related services for students, parents, schools and exam boards.

1.6. The School’s instructions relating to the processing of School Personal Data shall comply with the Data Protection Requirements and the Customer shall have the sole responsibility for the accuracy, quality, integrity, reliability and lawfulness of the School Personal Data;

1.7. The School shall promptly notify ManageBac if it becomes aware of any breaches of or other irregularities with the Data Protection Requirements.

2. MANAGEBAC’S OBLIGATIONS

2.1. General Obligations

2.1.1.  ManageBac shall process School Personal Data for the sole purpose of the provision of the Services to the School and any Users and shall act only in accordance with the commercially reasonable documented instructions of the School in respect of the processing of School Personal Data during the term of the Services  Agreement.

2.1.2.  ManageBac shall promptly notify the School if, in ManageBac’s opinion, the School’s documented data processing instructions breach the Data Protection Requirements, and ManageBac shall be entitled without penalty to suspend execution of the instructions concerned, until the School confirms such instructions in writing. Any notification by ManageBac under this clause should not be regarded as legal advice and ManageBac shall not be required to perform a legal assessment of the School’s instructions. The School shall seek its own legal advice on applicable Data Protection Requirements. If and to the extent ManageBac is unable to comply with any instruction received from the School, it shall promptly notify the School accordingly.

2.1.3.  The purpose of ManageBac’s processing School Personal Data is the performance of the Services pursuant to this Privacy and Data Protection Addendum. The categories of data subjects and the types of School Personal Data processed under this Addendum are set out in Appendix 1 (School Personal Data).

2.1.4.  ManageBac shall provide reasonable assistance to the School in order to ensure the School’s compliance with the Data Protection Requirements and/or in case of inspection by a supervisory authority taking into account the nature of the processing and the information available to ManageBac.

2.1.5.  ManageBac shall promptly respond to any request of the School concerning the processing of School Personal Data carried out by ManageBac, and provide the School with all reasonable information, so that the School is able to: (i) inform the data subjects and respond to their requests for access, objection, rectification, restriction or deletion of School Personal Data; and/or (ii) respond to any administrative formalities concerning the processing of such personal data to the supervisory authority; and/or (iii) comply with all requests of any administrative or judicial authority regarding the processing carried out under the Services Agreement.

2.1.6.  ManageBac shall promptly correct any errors or inaccuracies in the School Personal Data which are notified to it either by the School or a data subject, or shall provide a means for the data subject to self-correct any errors or inaccuracies within such personal data, to ensure that such School Personal Data is kept accurate and up to date.

2.1.7.  ManageBac shall provide reasonable assistance to the School in order to ensure its compliance with its obligations to maintain a record of all categories of School Personal Data processing activities. In particular, ManageBac shall record and make available such School Personal Data for a period of eighteen (18) months from the Services Agreement expiration or termination date, and shall ensure that the School Personal Data records are backed-up regularly throughout this period. Thereafter, ManageBac shall destroy all files containing School Personal Data, or return all such School Personal Data to the School, unless required to retain any or part of the School Personal Data by applicable law.

2.2. Security

2.2.1.  ManageBac shall implement appropriate technical and organisational security measures necessary for the processing of School Personal Data and Services to be performed under this Services Agreement to ensure the confidentiality and security of School Personal Data and, in particular, to prevent such School Personal Data from being distorted, damaged or communicated to unauthorized third-parties, and to protect the School Personal Data against any accidental or unlawful destruction, accidental loss, alteration, dissemination and/or unauthorized access, as well as against all unlawful forms of processing provided that, such measures shall ensure a level of security appropriate to the risks inherent in the processing and the nature of the School Personal Data to be protected.

2.2.2.  In case of a personal data breach involving School Personal Data, ManageBac shall:

(i) notify the School without delay after becoming aware of an actual personal data breach involving School Personal Data, and;

(ii) take steps to remedy such personal data breach involving School Personal Data as soon as possible so as to minimize the impact of any personal data breach to all relevant data subjects.

2.2.3.  Such notification must contain:

1. a)   A description of the nature of the personal data breach including:

• Categories of School Personal Data concerned;
• Approximate number of data subjects concerned;
• Categories of School Personal Data records concerned;
• Approximate number of School Personal Data records concerned, and;

1. b)   A description of the likely consequences of the personal data breach involving School Personal Data and;
2. c)   A description of the measures taken or proposed to be taken by ManageBac to address such personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

2.2.4.  ManageBac shall document any personal data breach involving School Personal Data, comprising the facts relating to it, its effects and the remedial action taken.

2.3. Access to Personal Data

2.3.1.  In accordance with confidentiality obligations as defined in the Services  Agreement, ManageBac shall not transfer, communicate or disclose in any manner any personal data to any third parties, except to those subcontractors and personnel required to provide the Services to the School (hereinafter the “Authorised Recipients”) for the sole purpose of such Authorised Recipients of performing the Services under the Services Agreement. Where a subcontactor is engaged by ManageBac shall ensure that they are appointed in accordance with clause 2.4 below.

2.3.2.  ManageBac shall ensure that the Authorised Recipients in charge of the performance Services process the School Personal Data only on a need-to-know basis and are subject to appropriate obligations of confidentiality and security, and bound by a non-disclosure agreement that is least as stringent as the one in force between the parties.

2.3.3.  In case of any investigation or seizure of School Personal Data by government officials, a supervisory authority or any law enforcement authority, ManageBac shall take reasonable steps at its disposal to protect the confidentiality of School Personal Data.

2.3.4.  If a Party is compelled to disclose School Personal Data by law, such Party shall promptly notify the other Party of the disclosure order (if and to the extent permitted by laws and/or regulations).

2.4. Personal Data Transfers

2.4.1.  As part of the Services, the User or School acknowledges that ManageBac transfers User Personal Data all over the world as part of its business operations to facilitate the provision of the Services to the User. Where ManageBac transfers personal data to a Third Country, it shall take steps to ensure that it has appropriate safeguards in place to protect the Users Personal Data in accordance with Data Protection Requirements. Further information about the transfers and the basis on which those transfers are made is set out in this paragraph 2.4.

2.4.2.  TheUser provides its prior consent to ManageBac transferring User Personal Data between its group companies in UK, USA, Taiwan and Hong Kong, and data centres in Canada, USA Hong Kong, Singapore, Ireland and UK. Where required by Data Protection Requirements, appropriate safeguards shall be in place to cover such transfers, where personal data is transferred outside of the European Union, ManageBac has entered into standard contractual clauses issued by the European Commission as required under the Data Protection Requirements.

2.4.3.  The User and the School provides its general authorisation to ManageBac’s use third party suppliers, as listed and updated on ManageBac’s website via https://www.managebac.com/terms/privacy-policy/subprocessors, https://www.openapply.com/terms/privacy-policy/subprocessors, https://www.onatlas.com/terms/privacy-policy/subprocessors, https://www.schoolsbuddy.com/terms/privacy-policy/subprocessors, and https//www.pamojaeducation.com/terms/privacy-policy/subprocessors which may process Users Personal Data on behalf of ManageBac (“Subprocessors”) in order for ManageBac to provide the Services to the User or the School.

2.4.4.  ManageBac shall provide updates to the list of Subprocessors and proposed Subprocessers via https://www.managebac.com/terms/privacy-policy/subprocessors, https://www.openapply.com/terms/privacy-policy/subprocessors, https://www.onatlas.com/terms/privacy-policy/subprocessors, https://www.schoolsbuddy.com/terms/privacy-policy/subprocessors and https//www.pamojaeducation.com/terms/privacy-policy/subprocessors, Users may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of the list of Subprocessors and such objection shall describe User’s legitimate reason(s) for objection. If a User does not object during such time period the new Subprocessor(s) shall be deemed accepted. 

2.4.5.  ManageBac shall include in any contract with its Subprocessors which will process User or School Personal Data obligations on such Subprocessors which are equivalent to those obligations imposed upon ManageBac in this Privacy and Data Protection Addendum. ManageBac shall be liable for the acts and omissions of its Subprocessors to the same extent ManageBac would be liable if performing the services of each Subprocessor directly under the terms of this Privacy and Data Protection Addendum.

2.4.6.  Where Subprocessors are located in a Third Country, ManageBac shall put in place appropriate safeguards to protect the User or School Personal Data and ensure that such transfers of User Personal Data are at all times in accordance with the Data Protection Requirements. This shall include, entering into and maintaining accurate standard contractual clauses adopted by the European Commission, or, where a Subprocessor is located in the USA, ManageBac may rely upon a Subprocessor’s Privacy Shield certification, to the extent that these data transfer mechanisms are considered to be lawful under the Data Protection Requirements (where applicable).

2.5. Information Requests & Review

2.5.1.  The User or School shall be entitled to request information and review Faria Education Group’s ISO 27001 certification and related documents, processes and workflows relating to its internal Data Protection and Compliance standards and its obligations set out in this Privacy and Data Protection Addendum. The User or School shall also be entitled to request ManageBac to contribute to and allow for audits and inspections by the School. The School may not exercise its audit right more than once in any twelve month period. The School shall use all reasonable endeavours to ensure that the conduct of any audit by the School or its authorised agents does not unreasonably disrupt ManageBac or its business. Any audit by the School or its authorised agents will be limited to an audit of the School Personal Data and the processes relating to the Users Personal Data and will not include any information relating to any other customer of ManageBac or any other third party. The School will be responsible for any fees or costs incurred from carrying out such an audit.

Any information and review requests can be directed to ManageBac’s Information Security Officer at [email protected].

3. PERSONAL DATA PROCESSING CONDITIONS

3.1. ManageBac’s Server locations

3.1.1.  ManageBac informs the User or School that the Personal Data will be hosted in servers located in the following countries: Canada, USA, Hong Kong, Singapore, Ireland and UK.

3.1.2.  Any change of the server(s) location by ManageBac shall be promptly notified to the User or School and shall be included in the form of a written amendment pursuant to the conditions of this Services Agreement.

3.2. ManageBac’s Information Security Certification

3.2.1.  Faria Education Group is ISO/IEC 27001:2022 certified by BSI under certificate number IS 664562. Implementing ISO 27001 demonstrates a commitment to information security at every level of our organization.

Service Level Agreement

 What is the Service Level Agreement?

The Service Level Agreement is our commitment to customers using ManageBac regarding the service we will provide. Please get in touch using the contact details below if you have any questions about this agreement.

We support:

1. Setup
2. Configuration
3. Administrator Training
4. Bug Fixes

We guarantee:

1. 99% system uptime
2. A 24-hour max response time for all support requests
3. A pledge to protect privacy and safeguard data with daily local backups
4. SSL-encryption for all sub-domains

We do not support:

1. Network issues (e.g. Internet access failure)
2. E-mail Administration
3. Administrative Tasks (e.g. Approving your student’s CAS activities)

Planned maintenance (down-time) related to the Services will be communicated to the User or School on prior written notice. The User or School acknowledges that in certain circumstances, such as security threats, or where emergency or otherwise unplanned maintenance is required, ManageBac may only be able to provide the User or School with very short notice periods, or no notice being given by ManageBac at all.

Questions & Contact Information

Any questions about this Service Level Agreement should be addressed to [email protected] or by mail to: ManageBac, LLC. 548 Market St. #40438, San Francisco, CA 94104 USA.

EU – US Privacy Shield and Swiss – US Privacy Shield

 

ManageBac LLC (“ManageBac”) respects individual privacy and values the confidence of its customers, employees, consumers, business partners and others.

ManageBac strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, and prides itself on upholding the highest ethical standards in its business practices. This EU-US Privacy Shield and Swiss – US Privacy Shield Policy (the “Policy”) sets forth the privacy principles that ManageBac follows with respect to personal information transferred from the European Union (EU), the United Kingdom (UK) and / or Switzerland to the United States.

Privacy Shield

The United States Department of Commerce and the European Commission and the Swiss Administration, respectively, have agreed on a set of data protection principles and frequently asked questions (the “Privacy Shield Framework”) to enable U.S. Companies to satisfy the requirement under European Union and Swiss law that adequate protection be given to personal information transferred from the EU and Switzerland to the United States. Consistent with its commitment to protect personal privacy, ManageBac adheres to the Privacy Shield Principles.

ManageBac LLC, ManageBac Inc. and Rubicon West LLC (“we”, “us” or “our”) comply with the EU – US Privacy Shield Framework and the Swiss – US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and United Kingdom, and Switzerland to the United States, respectively. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles. If there is any conflict between the terms in our privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/  

Scope

This Privacy Shield Policy (the “Policy”) applies to all personal information received by ManageBac in the United States from the European Economic Area and the United Kingdom, and Switzerland, respectively, in any format including electronic, paper or verbal.

Definitions

For purposes of this Policy, the following definitions shall apply:

“ManageBac” is owned and operated by ManageBac LLC, a Delaware limited liability company in the USA.

“Personal information” means any information or set of information that identifies or is used by or on behalf of ManageBac to identify an individual. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

“Sensitive” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns an individual’s health. In addition, ManageBac will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.

Notice and Choice

ManageBac enters into Service Agreements with its Clients in the European Union and the United Kingdom, and Switzerland which may include the processing and/or storage of information relating to their Clients’ customers (students, parents and staff). In these agreements, the Client agrees and recognizes that it is the ‘data controller’ for the purposes of data protection legislation. This means that our EU, UK and Swiss Clients are responsible for complying with the data protection legislation in the relevant Member State, UK and Switzerland national law before it sends its customer data to ManageBac for processing and/or storage. This includes informing individuals about the choices and means they offer individuals for limiting the use and disclosure of their personal data. In order to exercise their rights under this principle, the individual must reach out to their School (our Client), as data controller. Any data processed or stored by ManageBac is only disclosed to third parties at the request and direction of its European, UK and Swiss Client as the data controller, in accordance with the choices made by the individuals to whom such personal information relates, or when required by law. Any information that our EU, UK and Swiss Clients identify as sensitive will be treated as such.

ManageBac has a Compliance Manager who is responsible for the internal supervision of ManageBac privacy policies. ManageBac also has technicians to handle data security. ManageBac continuously educates its employees about compliance with the Data Protection Act 2018, the Privacy Shield Principles and has self-assessment procedures in place to ensure its compliance. ManageBac participates in the EU – US Privacy Shield Framework and Swiss – US Privacy Shield Framework as set forth by the United States Department of Commerce.

Information Gathering and Usage:

ManageBac will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

We use the information provided and that we collect to improve the content and quality of the Service, error correction, improving our marketing, and for administrative purposes.

Your use of the Service results in collection of audit log records, which are collected through third party solutions. These facilitate providing the Service, through web hosting companies or by using analytics providers. This allows us to monitor system and application performance, to track usage activity and to enable our support team to provide you with a professional standard of service when you have any issue.

In the course of providing the Service, we use the information provided to:

1. Process account registration and enrolment;
2. Organise curriculum, activity and assessment information;
3. Compile academic histories and formal academic records;
4. Aggregate, collect and input details of your academics into our system for central management;
5. Compile your profile and the foregoing for your School or as a User.
6. Present information entered to other logged in users provided Parental Consent is provided when applicable;
7. Monitor system performance and collect aggregate analytics;
8. You as a User, or your School may make such information available to the International Baccalaureate, which in turn may make information available to qualified Higher Education Institutions.

If it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Terms of Service or Terms of Use, or to comply with any legal requirement such as, but not limited to, complying with a subpoena or cooperating with law enforcement agencies.

Access Personal Data

If your personal information changes, you are able to login to keep it up to date by changing your profile. If you no longer wish to receive the Service or if you find that information on the Website is not accurate and you cannot update it, please inform your School in the first instance. You may email us at [email protected] if you continue to have concerns. If you do not receive a response to your email to us within 7 days please call us or write to

ManageBac LLC

Privacy Department

Email: [email protected]

Postal Mail: 548 Market St. #40438, San Francisco, CA 94104

Onward Transfer

ManageBac shall bear liability in cases of onward transfer.

Enforcement:

ManageBac will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that ManageBac determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Under certain limited conditions, individuals may invoke binding arbitration as a last resort before the Privacy Shield Panel. ManageBac is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Dispute Resolution:

ManageBac participates in the European Data Protection Authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner dispute resolution process. If you feel that this company is not abiding by its posted privacy policy or is not in compliance with the Privacy Shield principles, you should first contact ManageBac’s Compliance Manager by email at [email protected]. If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you should then contact the European Data Protection Authorities (DPAs) or Swiss Federal Data Protection and Information Commissioner, whichever is applicable.

Contact information for the European Data Protection Authorities (DPAs) in your member state is available here: https://edpb.europa.eu/about-edpb/board/members_en.

Contact information for the Swiss Federal Data Protection and Information Commissioner is available here: https://www.edoeb.admin.ch/?lang=en

Client Data Storage:

ManageBac complies with the EU – US Privacy Shield Framework and the Swiss – EU Privacy Shield Framework as set forth by the Department of Commerce regarding the collection, use, and retention of data from the European Union, United Kingdom, and Switzerland.

If you have any questions, comments, or concerns or wish to update, delete or change any personal information submitted on this Site, or have any questions about our Privacy Policy, please notify us through email or postal mail at:

ManageBac LLC

Privacy Department

Email: [email protected]

Postal Mail: 548 Market St. #40438, San Francisco, CA 94104

Changes To This Privacy Shield Policy

This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. A notice will be posted on ManageBac’s web page: https://www.managebac.com/terms/privacy-shield/

Effective Date: June 27, 2017

Updated at March 21st 2021

Reference:

To learn more about the EU – US Privacy Shield Framework and Swiss – US Privacy Shield Framework, and to view the certification of ManageBac LLC, ManageBac Inc. and Rubicon West LLC, please visit: https://www.privacyshield.gov/

General Data Protection Regulation (GDPR)

 

The General Data Protection Regulation, known as GDPR, went into effect on on May 25, 2018. It is the most sweeping legislation in the last two decades focused on data security and privacy, and significantly updates, extends, and harmonises data protection legislation across the EU/EEA.

To read more about GDPR, please click here.

ManageBac has been committed to data privacy for over 10 years and welcomes the new regulation. ManageBac has been GDPR compliant since May 2018.

Who is subject to GDPR?

Individuals, organisations and companies that control or process personal data are subject to GDPR. In broad terms, there are three different actors:

• Data subjects (students, families, users, school employees)
• Data controllers (the school)
• Data processors (systems like ManageBac OpenApply & Atlas)

As a data processor, we do not decide the purpose or lawfulness of the data we process and store. We are trustees acting on our customers’ behalf. As data controllers, schools remain ultimately responsible for documenting and deciding how data enters our systems. However, GDPR regulations do impose new and stricter regulations on processors. We will fully comply with these requirements for all of our services, including ManageBac OpenApply Atlas, and Integration partners.

How is GDPR different from previous data protection laws?

Key areas of difference center on increased accountability for companies, greater access to personal data for individuals, and higher penalties for non-compliance.

GDPR explicitly lays out key rights of data subjects:

• right to be informed
• right of rectification
• right of erasure
• right to restrict processing
• right of data portability
• right to object
• right of access

These rights form the framework for interactions between the data subject, controller, and processor. While the controller (school) remains responsible for respecting these rights, the processor (us) may assist in accomplishing these tasks.

The penalties for non-compliance are not insubstantial. A school found in violation of GDPR may be assessed fines worth up to 4% of total annual revenue. The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR and has a broad range of powers to do so.

What kind of data is covered, and what information are schools allowed to collect?

All personal data concerning an individual (data subject) is included under GDPR. Specifically, personal data that allows an individual to be identified — for example name, address, phone number, photo, etc. — is included under GDPR.

Even if personal data has been encrypted, pseudonymised, or anonymized, it may still fall under the scope of GDPR if the data can still be used to identify a specific individual.

Examples of personal data that our schools collect and store includes:

• Names
• Addresses
• E-mail Addresses
• Phone Numbers
• ID Numbers (passport, national ID, SSN)

GDPR specifies six lawful bases for collecting personal data:

• Consent
• Written contract
• Legal obligation
• Vital interests
• Public tasks
• Legitimate interests

For most schools, the legal basis for data collection relates to either legal obligations as learning institutions, or to legitimate interests.

Most of the bases require that the data processing is necessary, i.e. if you can reasonably achieve the same results and purpose without processing data, then you do not have a lawful basis.

Is ManageBac GDPR-compliant?

Yes. ManageBac has been designed from the start with personal data protection in mind, and we pride ourselves on offering schools, students, users and parents the highest level of security.

We have spent the lead up to May 2018 analysing the new requirements and making changes in our services and internal workflows.

As a part of our commitment to GDPR, ManageBac will:

• Ensure organisational and technical security for all services.
• Assist with documentation to demonstrate compliance and keep users informed.
• Provide contract addenda that comply with GDPR requirements for Data Processing Agreements (DPA)
• Offer support when your users exercise their data subject rights.

How does my school become GDPR-compliant?

We cannot directly advise our schools on GDPR compliance, aside from recommending that you seek legal advice as soon as possible, and appoint a team to begin reviewing your current data processing practices. Most of our schools in Europe will be required to appoint a Data Protection Officer (DPO), who oversees your compliance requirements and reports directly to senior management.

In general, GDPR requires you to explicitly record and evaluate how personal data is processed and used. At a minimum, you will need to fully review user data end-to-end, justify why you hold it (using one of the legal bases), for how long you will retain it, and conduct a security review. The purpose of every data point you hold must be defined.

When adopting new technology platforms that involve personal data, you will need to perform a Data Protection Impact Assessment (DPIA). You are expected to monitor and ensure that the systems you use are GDPR compliant.

Lastly, because individual rights have been strengthened under GDPR, we strongly recommend making your users aware of their rights, and establishing clear procedures for responding when users exercise those rights.

I have heard that ManageBac is not secure enough under GDPR! Is this true?

GDPR does not specify precise security requirements for cloud-based services. As a data processor, we have a shared responsibility with our schools (controllers) to provide appropriate organisational and technical security, and be able to demonstrate it. GDPR strengthens the liabilities and penalties for companies that are unable to demonstrate those security protocols.

For over a decade, ManageBac has successfully protected data from millions of users. We continue to invest in organisational security, network and infrastructure security, and application security to ensure we can offer world-class security beyond standard requirements. We regularly allow third parties to audit our security measures, and we invite customers to perform their own audits.

We are careful not to provide explicit detail about our security measures but our standard protocols include:

• Application security: traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross site scripting, SQL injections, phishing and others.
• Network security: firewalls and systems to detect suspicious behaviour, stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
• Organisational security: access policies, audit logs and confidentiality agreements.
• Physical security: preventing unauthorized access to infrastructure processing personal data.
• Procedural security: IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.

How does ManageBac obtain personal data about users, and how is it used?

User data is submitted to our platforms in three ways:

1. directly by the users
2. by representatives authorised by the users (e.g. the school technology director obtains data and then uploads it to our platform)
3. via an integration with a third-party system

Data typically enters our systems via “student information systems” independently maintained and controlled by our customer schools. We import data from third-party systems only under direct instruction from our customers.

We use personal data under our protection only when we receive direct instructions from the customer. The data stored on our systems belongs directly our customers, and only a handful of ManageBac staff have access to personal data under strict confidentiality and security. We process personal data independently only if it is vital to the integrity or security of the service, or to analyze or evaluate the quality of the service provided.

Can any of our users request data deletion under the “right to be forgotten”?

Likely not. A data deletion request is valid only if the lawful basis of the processing is Consent (see above), or if the original purpose is no longer valid.

We strongly recommend that our schools implement clear processes for evaluating these kinds of requests. Our Data Protection Officer can also assist with advice in difficult cases. If a data subject is granted the right to be deleted, ManageBac will, either through our software or our support services, help execute these rights and confirm the deletion.

When does ManageBac delete personal data?

ManageBac deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. The procedures around deleting customer data upon termination of service should be provided in writing or in a Data Processor Agreement.

An instruction to delete a user in our services can either be manually performed in the platform by a customer representative or upon request to our support team.

When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.

Are we required to provide the personal data that we store on a user when requested?

To a limited degree, yes. Your users have strong rights to transparency, information, and data access. Any data subject can request a copy of all personal data stored, provided that it does not adversely impact other users, or if the data is not already directly available.

Please note this is not an absolute right. There are other laws in place that require you to protect the data subject and others from accessing certain kinds of information. Again, we strongly recommend that you implement a clear process for evaluating this kind of request, and our Data Protection Officer can assist in difficult cases. If you grant a data subject the right of access, we will, either through our software or our support services, help execute these rights.

Our systems were built for transparency across all stakeholder groups, so the majority of data stored about a user is directly accessible via the individual user profile.

Can a user contact ManageBac directly (e.g. student, parent, teacher) to exercise his rights under GDPR?

No. Under GDPR, the data subject (user) rights is between him and the controller (our customers). Any data subject requests from end users to ManageBac will be handed over to the customer. ManageBac will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.

Does ManageBac send data to third parties?

No, unless we receive instruction / confirmation from our customers or have a legal obligation to do so.

Schools often request that we integrate with a third-party tool or service, or setup this integration directly themselves using our publicly available APIs. We take steps to prevent customers from sending data to 3rd parties without complying with data protection regulations. However, it is important that our customers themselves implement safeguards to ensure that data transfer occurs in adherence with regulation.

Will ManageBac notify users if a data breach has occurred?

Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. ManageBac is required to notify its customers when becoming aware of a data breach, and to help them in fulfill obligations in notifying users.

Can I require a cloud service provider, like ManageBac, to only host personal data in my country?

One of the GDPR’s primary objectives is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDPR.

Does ManageBac process data outside the EEA? Is it allowed to process data outside the EEA?

GDPR does not forbid personal data to flow outside the EEA, but expects that any data processing outside the EEA is done following the same principles.

In addition, controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing. In some cases, they must also allow customers or users to object to the processing.

Note that the European Commission has recognized Canada as a jurisdiction with ‘adequate’ data protection. To learn more, click here.

Does GDPR impact customers outside the EU?

Not legally. The EU, obviously, has no legislative power over other jurisdictions. GDPR does not offer any rights or freedoms to data subjects located outside the EU, and does not put obligations on non-EU customers that do not process data on EU/EEA data subjects.

However, ManageBac offers, for the most part, the same services and same level of security to all our customers. In other words, no matter where you as a User or your school is located, you will benefit from our approach to security of personal data under GDPR.

Who do I contact with further questions?

For general questions related to ManageBac you can always contact our support team at [email protected]. For contractual or commercial questions, please contact your Account Manager.

For specific GDPR-related questions from our customers, please contact our Data Protection Officer. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO will be available to our customers and their DPOs to discuss data privacy issues.

The DPO can be reached at [email protected]. Please note that any communication with our DPO must be in English.

Cookie Policy

 

Information About Our Use Of Cookies

Our website at www.minipd.com uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website. By continuing to browse the website, you are agreeing to our use of cookies.

A cookie is a small file consisting of letters and numbers that we store on your browser or device if you agree. Cookies contain information that is transferred to your device.

We use the following cookies:

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into your school’s ManageBac platform.
• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control.

You may block cookies by updating the relevant settings on your device or browser to allow you to refuse the setting of some or all types of cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access all or parts of our website.

Security & Compliance

ISO/IEC 27001:2022 Compliance

ISO 27001 is the most widely known information security management standard used by organizations to keep data assets secure. Implementing ISO27001 demonstrates a commitment to information security at every level of our organization. The ISO/IEC 27001:2022 Information Security Management System of ManageBac has been certified by BSI under certificate number IS 664562.

More information about ISO/IEC 27001:2022 and Information Security Management Systems (ISMS) can be found here. Our certificate may be found here.

Data Encryption

All data between your computer and our systems is encrypted end-to-end with SSL by default.  Other uploaded assets and backups are also stored and transmitted using encrypted connections.

We never send your data over the wire “in plain sight.” Communications across our internal network are via secure private VPN.

PCI DSS Compliance

ManageBac does not store credit card information on any of our servers. Instead, we securely transmit information to Stripe, our PCI-compliant payment gateway, which handles your transactions.

Because we must securely handle your sensitive information before passing it to Stripe, we are also PCI Data Security Standard compliant.  Our certification can be found here.

Legal & Privacy

Data sent through ManageBac often must respect the laws of the countries where we provide service.  Thus, we go out of our way to to follow all data privacy policies of the countries where we do business.

To that end, we host our data securely on servers located in Canada and follow all rules associated with PIPEDA. Our complete terms of service and privacy policies can be found here.

Data Protection

GDPR

ManageBac is compliant with GDPR. For more information about our GDPR-related policies, click here.

China

ManageBac is compliant with the Chinese Cybersecurity Law, including the Provisions on the Cyber Protection of Children’s Personal Information which can be found here. Chinese schools use a .cn domain and their data is hosted within China. We also hold ICP 17051512 and an Information Classified Security Protection Certificate.

Other

We comply with all applicable data protection policies in the countries where we do business, including those of:

• Canada
• Germany
• The United Kingdom
• The United States of America

We have compiled an analysis of some of these policies which you can read here.

Security Policy

Our internal security policies are governed under ISO 27001. Key points include:

• All access to production data is carefully controlled and limited
• Physical access to laptops and servers is monitored and controlled
• Passwords are held to a high standard of security
• All devices that access our systems are scanned for malware and centrally-managed
• All users undergo a required security training on an annual basis
• Our Security Incident Response Team is kept on 24/7 standby and meets weekly to review our security posture
• We remain vigilant for new security threats and monitor major reported breaches and vulnerabilities to understand their potential impact on our operations

Business Continuity & Disaster Recovery

We have performed a comprehensive analysis of risks to our business and have a Business Continuity Plan and Disaster Recovery Plan in place. We have warm standbys of our applications and data in backup data centres.

Our entire workforce employs a ‘remote first’ mindset to be able to work anywhere. In the event of a natural disaster or serious network issue, we can quickly resume operations in alternate locations.

Further Questions

If you’d like to discuss further aspects of our security and compliance policies for your own internal records, please contact us for a briefing under NDA.

Email: [email protected]

Phone: +1 866 297 7022