Compliance

Sibme website is hosted and customer data resides on Amazon AWS infrastructure, which (i) has highly secure data centers with state-of-the art electronic surveillance and multi-factor access control systems, (ii) is staffed 24×7 by trained security guards, and (iiii) its access is authorized strictly on a least privileged basis. AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In addition, AWS undergoes annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems. Access to Sibme data portal management with AWS is limited to only a few key employees and is protected by a two-factor authentication mechanism for access, requiring authorized team members to first log in using their email address and password, then enter a six-digit access code that refreshes every 30 seconds from a linked mobile device. All private data exchanged with Sibme is always transmitted over SSL. Here are some useful links relating to their own security and continuity plans:

• AWS Cloud Security: https://aws.amazon.com/security/
  

• AWS Compliance: https://aws.amazon.com/compliance/
  

All videos uploaded to the Sibme website are by default private to the user if uploaded to their Workspace and other selected users if uploaded directly to Huddles. A user decides who else can see those videos and resources. For additional information on our privacy practices, please see our Privacy Policy.

Authentication for users happens at app.sibme.com/users/login using email and password authentication, via sign-in via Google, or SSO via an organization’s authentication process (i.e. Microsoft Azure/AD, Canvas, etc.). All requests made through Sibme in a browser are done via TLS/SSL. Sibme keeps a robust set of logs for auditing purposes

Sibme is LTI Compliant and we follow the LTI standard when integrating with customer’s LMS’. For more information on LTI Compliance and LTI integrations, please visit the IMS Global Learning Tools Interoperability® page.

Sibme requires its Vendors, such as Amazon AWS to achieve key compliance controls and objectives as well as establish controls to support operations and compliance. More information on AWS System and Organization Controls (SOC) can be found on their site.

Sibme maintains Payment Card Industry Data Security Standard (“PCI”) compliance in connection with processing user credit card charges. As required by the PCI compliance standard, Sibme quarterly undergoes extensive third party security and penetration tests to ensure our payment site is secure. Please view our PCI Compliance certificate from SecurityMetrics.

The U.S. Family Educational Rights and Privacy Act (“FERPA”) is designed to protect student identity and academic information from unauthorized disclosure to third parties. Sibme complies with all relevant provisions as follows:

• User information is private in the system, viewable only by authorized individuals. Such permissions must be explicitly granted within Sibme.
  
• When applicable, student grading information is viewable only to authorized instructors, reviewers, IT administrators, and to the individual student themselves.
  
• Authorized Sibme staff may access the account information solely for the purpose of providing service and support to the instructor and students. Such access is limited to authorized service and support staff only. Consent for this limited use of their account information is granted by each student user upon signup with required acceptance of the Terms of Service.
  
• Sibme does not require any unique identifying information for any student data collected in the platform.
  

Sibme is compliant with U.S. Children’s Online Privacy Protection Act (“COPPA”) requirements regarding the capture and use of images of children under the age of 13. Key elements include:

• Videos in the system are private by default, as described above.
  
• Users (teachers, administrators, etc.) who post videos that include children under 13, such as classroom observations, are responsible for any parent/guardian permissions.
  
• Parents may request removal of any video of their child by directly contacting Sibme.
  
• Children under 13 years of age are expressly prohibited by our Terms of Service from creating their own account.
  

For more information, see the COPPA references in our Terms of Service and Privacy Policy

To the extent applicable, Sibme is compliant with the California Consumer Privacy Act (“CCPA”), including applicable consumer rights in control of their personal data. Please see Sections 3, 10, and 15 in our Privacy Policy

Sibme complies with the principles of the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework” or “DPF”) as set forth by the U.S. Department of Commerce. Sibme has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and from the United Kingdom(and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Sibme has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. Data Privacy Framework. The DPF includes requirements for security, consent, and user data rights, including the right to deletion. Please refer to the EU/GDPR Section of our Privacy Policy for more details. For EU, UK and Swiss users, you can review your rights and recourse in our Privacy Policy, which outlines our commitment to data privacy and user protection.

Sibme is designed to comply with applicable software accessibility requirements of Section 508 of the U.S. Rehabilitation Act. The system is designed to work with native accessibility tools within Windows and Mac operating systems as well as the enhanced functions included in modern web browsers. For details related to our Section 508 compliance, please see our Voluntary Product Assessment Template (VPAT). Sibme is also designed to comply with the Web Content Accessibility Guidelines (WCAG) version 2.1, levels A and AA. For more about WCAG 2.1 compliance, see Web Content Accessibility Guidelines (WCAG) Overview.

If you have additional questions regarding Sibme’s security or privacy, please contact us at Sibme Support at any time.

Sibme has a Data Breach Notification Policy, which describes a process to quick and efficient recovery from security incidents, respond in a systematic manner to incidents and carry out the steps necessary to handle an incident, and minimize disruption to critical computing services or loss or theft of sensitive or mission critical information. Sibme will determine whether the compromised system is a low risk or a high risk data and whether the system affected is considered a high critically system. “High Critically System” is when it meets either of the following criteria: (i) stores, transmits, or provides access to High Risk Data (as defined below) or (2) loss of access could have a significant impact on Sibme as a whole and the overall institution risk from downtime is high. “High Risk Data” is defined when either of the following conditions apply: (A) the data is governed by laws or regulations that requires Sibme to report to the government and/or provide notice to individuals if the data is breached, or (B) the unauthorized use, access, or alteration of the data could have a significant adverse impact on Sibme or an individual community member. For example, social security numbers and national identification numbers, driver’s license numbers, passport and visa numbers, operating system passwords, application passwords, and API keys, central authentication credentials, financial information, health information, special categories of data under GDPR.

Sibme will risk classify the data by taking into account the (i) inherent attributes of the data; (ii) source of the data; (iii) regulation or policy governing the data; and (iv) relationship of the data to previously disclosed data. The classification of specific data is subject to change as the attributes of that data change (e.g. its elements, content, uses, importance, method of transmission, or regulatory context).

Sibme uses the 3rd party entities below (each, a “sub-processor”) to process personal data on behalf of Sibme customers and in accordance with contract terms between Sibme and the sub-processor to uphold Sibme’s commitments.

Further information relating to sub-processor security measures can be found via the external links below. For each sub-processor below, processing of personal data will be for the duration of use of the applicable service(s) by the customer, and for the retention periods as set out in the customer’s agreement with Sibme and any product documentation.

Use the form below to sign up form below to be notified when we add new Sibme sub-processors.

At Sibme, we prioritize the protection of personal data from students’ educational records. Here’s how we work with educational institutions (“Customer”) to uphold privacy and data security:

• Ownership and Control of Student Data
• Student Data is owned and controlled by the Customer. Our collection and Use of this data are governed by contracts with the Customer and applicable privacy laws. For example, we provide our services to the educational institution as a “School Official” under FERPA, and we work in partnership with the educational institutions to safeguard personal data in compliance with FERPA requirements.
• Authorized Use Only
• We collect, maintain, use, and share Student Data solely for authorized educational purposes as described in our agreement with the Customer or as directly by the Customer, the student’s parent, or legal guardian.
• No Targeted Advertising
• We do not use or disclose Student Data for targeted advertising. Specifically:
• Personalized advertising (ads based on personal information) is not utilized in our products.
• Student Data is not shared with third-party advertisers or used to create advertising profiles.
• No Unauthorized Profiling
• We do not build personal profiles of students except when necessary for educational purposes pursuant to the terms of our services.
• Robust Data Security Measures
• We maintain a comprehensive data security program designed to protect the type of Student Data maintained by our services.
• Transparency and Accountability
• We are committed to clear and transparent communication about our data policies and practices to ensure trust with our users.
• No Selling of Student Data
• We will never sell Student Data unless it is part of a corporate transaction (e.g., a merger, acquisition, or other sale of assets). In such cases, we require the new owner to honor our existing student data privacy practices, or we will provide the Customer with notice and an opportunity to opt-out of the transfer of Student Data by deleting the Student Data before the transfer occurs.
• Notification of Policy Changes
• We will not make material changes to our student data privacy practices or agreements related to data collection or use without prior notice to the Customer. Customers will be given a choice before any Student Data is used in a manner materially different from what was disclosed at the time of collection.

We remain committed to supporting educational institutions in protecting the privacy and security of their students’ data. 

We disclose Student Data only as necessary to provide our Services on behalf of specific Customers, in accordance with our contractual agreements with the consent of the Customer or the parent. For instance, Student Data and account usage information may be disclosed to or accessible by users who are authorized to use the Service on behalf of the Customer, such as the student’s teacher or other administrative professional. Additionally, we may also disclose Student Data to our trusted service providers who require access to perform services on our behalf, all of whom are bound by contractual terms to ensure data protection. Moreover, Student Data may be disclosed in connection with a business transaction or to uphold our legal rights and obligations as outlined in our Privacy Policy.

We may also generate, use, and disclose de-identified information for adaptive learning purposes or customized student learning purposes, to recommend content or services relating to Customer purposes or other educational or employment purposes, to develop, research and improve our services, or to demonstrate the effectiveness of our Services. In addition, we may use de-identified information for the development and improvement of other educational sites, services and applications or technologies more generally to the extent permitted under applicable law. “De-identified information” means data from which all personally identifiable information has been removed or obscured so that the remaining information does not reasonably identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

To the extent you use our face recognition functionality, Sibme complies with (and facilitates compliance with) applicable law, including the Family Education Rights and Privacy Act (“FERPA”) and Children’s Online Privacy Protection Act (“COPPA”). Because we provide the face recognition functionality at the direction, and subject to the control, of our Customers (i.e. the educational institutions), we rely on each customer to provide consent for Sibme to collect personal information from students, as permitted by COPPA. If you are a parent, guardian, or teacher and believe that your child or student has provided Sibme with personally identifiable information without appropriate consent by you and/or your child’s educational institutions, please notify legal@sibme.com so that we can promptly delete the information from our servers.  Note that we DO NOT typically utilize face recognition functionality for students. Biometrics features are exclusively available for teachers, administrators, and higher education students using our platform.

Sibme will not knowingly retain student personal information beyond the period necessary to support an educational purpose, unless explicitly authorized by the educational institution, i.e. Sibme’s customers.

Please note that even without specific instructions from our Customers, we may delete or de-identify data after a period of user inactivity. Information about how long we keep your information is available in our Privacy Policy. Parents or students seeking to access or delete student data, should direct their requests to the educational institution.