Kialo Edu Data Security and Privacy Plan
Contents
Updated: August 2 2024
General Points
- Kialo Edu only uses personally identifiable information (PII) for the functionality of Kialo Edu and very seldomly to ask verified educators for product feedback.
- Kialo Edu does not share, rent, sell, trade, or disclose PII.
- The Kialo Edu site has and will have no ads and PII is not used for ad targeting.
- Your contributions on Kialo Edu are owned by you.
- When you delete your account:
- All debates and teams that you own will be deleted.
- Contributions you made in others’ debates will not be deleted but will be de-identified by replacing your username with a generic username (“deactivated-12367”).
- Kialo Edu may use de-identified data to improve Kialo Edu, e.g., to improve the duplicate checker or to understand which functionality is often used and needs improving.
- Kialo Edu will not re-identify de-identified data.
- You can export discussions and request a complete GDPR export of your data.
- An organization can at any point request full control (export/modify/delete) over their members’ accounts and data.
- You can edit (correct) all your contributions and can clone debates and move them to other Kialo Edu accounts.
- In the case of a breach of user data, unless contractually or legally prohibited, we will communicate the breach and its extent as quickly as possible, but no later than three days after becoming aware of the breach.
- Kialo Edu has signed and is happy to sign strict data protection agreements, like the NDPA and New York State Model Data Privacy Agreement for Educational Agencies.
- Kialo Edu is GDPR, CCPA, DSGVO, LGPD, AADC, FIPA, FERPA, NY Ed Law §2-d, and NY regulations §121 (Bill of Rights) compliant and can be used COPPA compliantly (when schools or parents consent to its use).
- We assume that we are compliant with any reasonable data privacy regulation worldwide, given that we are a privacy-first company, collect as little personal information as possible, and don’t abuse the little data we collect. If you like, you can use Kialo Edu without sharing any personal information by using email-less or managed accounts or instant access discussions.
- As we are often asked why we are providing Kialo Edu for free:
Kialo Edu’s mission is to help educators train critical thinking and thoughtful argumentation and to enable constructive classroom discussions. And in order to make Kialo Edu widely available in all parts of the world, it is free for educators to use.
Regarding Subcontractors
- Kialo Edu uses the following subcontractors that in theory could access PII:
- Amazon AWS, the world’s biggest cloud infrastructure provider, which is being used by governments around the world to host confidential data.
- Mongo, one of the most widely used databases worldwide, which is being used by governments around the world to store confidential data.
- Kialo Inc, our sister company that offers kialo.com, purchases services that are jointly used by Kialo GmbH (kialo-edu.com) and Kialo Inc (kialo.com), and also provides services for Kialo Edu, like support and social media.
- If someone emails support, their name, message, and email address may be stored in Zendesk, Google Suite, and Slack.
- The subcontractors we use are first-tier subcontractors with whom we have signed rigorous confidentiality and data protection agreements.
- We reserve the right to change which subcontractors we use and will provide an up-to-date list here and upon request.
Data Privacy and What Data Is Collected
- Kialo Edu (kialo-edu.com) is hosted in Frankfurt, Germany, as Germany has one of the world’s strictest privacy regulatory environments. All data is stored and processed in Europe.
- Kialo Edu operates under a policy of minimizing the information we collect about users. The less data we collect, the better. Below is a list of data, apart from user contributions, which we do collect:
- Kialo Edu’s firewall stores your IP for 30 days. Your IP is not associated with your user account.
- Metadata that your browser submits, like screen size, operating system etc., is currently not being collected. We use the language preference your browser transmits to check whether the Kialo user interface is available in your preferred language and will offer to switch you to it.
- When you sign up with an email address, we store your email address, username, and password.
- When you sign up via Google single sign-on, we store your Google account ID, avatar, email address, and derive your initial Kialo user and display names from your Google account name. You can remove and change these data as you wish.
- When you sign up via Microsoft single sign-on, we store your Microsoft account ID, avatar, email address, and derive your initial Kialo user and display names from your Microsoft account name. You can remove and change these data as you wish.
- When you sign up via Clever single sign-on, we store your Clever account ID, email address (for teachers only), and derive your initial Kialo user and display names from your Clever account name.
- When you sign up from Moodle via our Moodle plugin, we store your Moodle account ID, course ID, avatar, user name, and your email address, and derive your initial Kialo user and display names from your Moodle full name. You can remove and change these data as you wish.
- When you sign up from your LMS via LTI, we store your LMS account ID, LMS course ID, email address, and derive your initial Kialo user and display names from your LMS full name. You can remove and change these data as you wish.
- When you sign up email-less, we store your username, display name, and password.
- When you have a managed account, we store your username, display name, and password.
- When you join an instant access discussion, we store the name you enter.
- We store any additional profile information you choose to provide, like an avatar.
- All Kialo Edu use of cookies and browsers’ local store is essential for providing Kialo Edu functionality:
- Kialo Edu uses cookies to log you in and to correctly associate your contributions and activities on Kialo Edu with your account.
- Kialo Edu uses local store to store which popups you have already seen, drafts of your claims and comments, and to enable multi tab claim clipboard functionality.
- Kialo Edu does not use browser fingerprinting, ad tracking cookies, or tracking pixels.
- Kialo Edu uses a self-hosted cookie-less Matomo instance for analytics to detect user experience problems in the Kialo web app and on our website. We use it, for instance, to evaluate whether certain buttons and features are never being used and can therefore be removed.
Regarding Data Security
- Kialo Edu follows best practices of the Zero Trust Security model, which, in a nutshell, means that in order to gain access to a server or service, extensive user authentication must always happen and that the least privileged access principle is followed.
- Kialo Edu minimizes who can access confidential data and currently only four team members have access to all user data: the three site reliability engineers and the CEO.
- All administrative accounts are secured by strong passwords and two-factor authentication. Devices used to access confidential data use full disk encryption and are rigorously secured.
- Regular developers do not work with data from production systems, nor can they access the production systems themselves.
- All developers’ source code modifications are independently reviewed by two other developers and new versions of Kialo Edu will only be deployed after the Quality Assurance and Release Team have successfully completed extensive automatic and manual tests.
- Support staff have the ability to look up the email address associated with a username to verify that a person with a support request is really who they are purporting to be.
- All staff have signed confidentiality agreements and those with access to confidential user data have received additional security and confidential data handling training.
- If the organizational dashboard is used by an organization, then the people that have access to the organizational dashboard are able to see all their members’ user data.
- Kialo Edu user data is always encrypted in transit and at rest.
- Our production data is backed up hourly and the backups are stored for 30 days, after which they are destroyed.
- For additional security, Kialo Edu users can secure their accounts using two-factor authentication.
- Our Incident Response Plan is available upon request.
- Kialo Edu has undergone internal as well as external security audits, and we intend to continue doing these regularly.
- We have signed the Student Privacy Pledge 2020.
- Kialo GmbH, which manages and operates the Kialo Edu site, is ISO 27001 certified. Here is the ISO certificate and our HECVAT.