EFFECTIVE July 1, 2024 (Archived Version)
1. Definitions
"Boom App Users" are adult or student users who log in at wow.boomlearning.com, app.boomlearning.com, or boom.cards (all entry points to the "Boom App") and whose data is entered into or collected by the Boom App. The Boom App is a subset of the Services. It is possible to use the Boom App without using other services to limit the Subprocessors with which you interact.
"Subprocessors" are companies we hire to process customer data to help us provide the Services.
"Subcontractors" are people that work for us as part of a project. We sometimes use subcontractors to perform technical support or training for Educators. Subcontractors do not have access to Student Data.
"Vendors" provide services we need to perform our business. Examples include tax reporting and payment processing. If a Vendor has access to customer data, we disclose them as a subprocessor. You may have vendors you use also.
2. Educator ("you") selected subprocessors
You are responsible (liable) to us, your students and their families, and to your employees and contracted staff and vendors, for any risk or claims arising from your selection, implementation, configuration, management or deployment practices of your selected subprocessors. You are responsible (liable) for any misconduct, design failures, or security risks — deliberate or inadvertent — by your selected sub processors. You are responsible (liable) for training your students, families, employees and contracted staff and vendors on the correct usage of your selected sub processors. You must select subprocessors that will handle any personally identifiable information sent in a manner consistent with your legal obligations regarding the data sent.
| Subprocessor Type | Exemplars | Purpose | Your Responsibilities and Options | Our Responsibilities and Options |
| Authentication Service Providers (OAuth Providers) | Canvas, Classlink, Clever, Google, Microsoft, SAML (on request) | Secure authentication of identity and access privileges for Boom App Users | You may choose a supported OAuth Provider. | We may block any OAuth Provider at any time if we determine there is a security or privacy risk. We are responsible (liable) to you and your students if we fail to correctly implement an authentication method. Proper implementation means we followed the specifications of the authentication vendor. We may delete any data delivered to us by an OAuth Provider that we determine is superfluous to delivering the Services (such as a middle name) as part of our data minimization practices. |
| Data Sharing Subprocessors | Box, Dropbox, Google Drive, OneDrive, Sharepoint | Share documents securely with authentication and access controls. | Select the subprocessor or use our selected subprocess (Microsoft OneDrive or Sharepoint) for materials with personally identifiable information or that are otherwise sensitive. | Reject the use of an insecure subprocessor if we deem materials are sensitive and require an authenticated sharing method. |
| Email Subprocessors | Google Workspace, Microsoft Office | Send email communications | Select your subprocessor for sending and receiving emails. Apply reasonable industry best practices to protect your email system from email based attacks — incoming or outgoing, including phishing attacks. | We may block emails received from you that contain an attack. We will inform you if we learn our system has generate an attack. We will implement reasonable industry best practice to protect our email systems from email based attacks — incoming or outgoing, including phishing attacks. |
| Video Subprocessors | ScreenPal, Vimeo, YouTube, Google Drive | To embed links to video in decks you create to deliver to your Students. If used these will collect data about Boom App users. | You are responsible for your legal obligations to students with respect to disclosure, consent, tracking for advertising purposes, and delivery of advertisements, as may be applicable, for your selected subprocessor. | We reserve the right to block or remove access to video subprocessors at any time, in our sole discretion, if we deem them a security or privacy risk. |
| Contract Processors | DocuSign, Adobe Sign, LearnPlatform, Student Data Privacy Alliance | To send us a contract for signature | Use one of our subprocessors for contracts or select your own. | We require that you provide us a copy of the signed document if you do not use our subprocessor. |
3. Our Boom App User data subprocessors
The following subprocessors are integrated with the Boom App and collect and store data about Boom App users.
| Name | Purpose | Links to Security and Privacy Policies | What You Should Know |
| Vimeo | Embedded Instructional Videos | Vimeo | Used for video delivery. We have a signed Data Processing Agreement for EU. May collect some data from students if a student watches a video. |
| MongoDB | Storage of Boom App Data - including Adult and Student data | MongoDB Security measures for MongoDB Atlas are available here. | This is the database where we store data entered into our created by the Boom app. It is encrypted in motion and at rest. We have a signed BAA with MongoDB. Adult and student data. |
| AWS | Host of MongoDB Data Store | Amazon Web Service Security measures are here. Privacy statements are here. | AWS provides us physical servers in the United States on which the MongoDB database is stored. Adult and student data. |
| Microsoft Azure | Store of selected subset of Adult MongoDB data | Microsoft Trust Center | We replicate select Adult data from the MongoDB data store to Azure for business operations, security, integrity, and product improvement purposes. We do not replicate student data to this database. |
| Galaxy/Meteor Cloud | Application processing data | Privacy Policy Data Processing Agreement Security and Systems Policy | Our Boom application which process data |
| ZCLOUD | Application processing data | Privately negotiated agreement | Not yet adopted but under consideration for adoption |
| Freshworks | Helpdesk services- including Freshdesk (help tickets), Freshworks Contact Center (voicemail and calls), and FreshChat (chat contacts). | You can see terms of our agreement with Freshworks here (Section 3 and the Data Processing Addendum). You can see Freshworks security measures here. | We have a Freshworks Help Center integrated in our app accessible to adult users. We store your information to respond to your requests. Stored information may include contact information, user IDs, messages, device model, IP address, and usage patterns. Parents, legal guardians, and students who contact our Help Center by email are redirected to the Educator they are associated with. |
| ActiveCampaign | Educational messages about how to use the product, feature updates, and important announcements. | ActiveCampaign | Adult users are added to automations and mailing lists to receive onboarding and important announcements. Users added to ActiveCampaign are marked by the type of user (organizationally managed or direct purchaser). |
| MessageBird | Transactional emails | MessageBird | Transactional emails such as mandatory notices, password resets, confirmations, receipts and similar messages. |
| Braintree | Payment Processing | This is our integrated third party payment card processor. When you make a payment you are interacting directly with Braintree through a PCI DSS 4.0 compliant connection. | |
| PayPal | Payment Processing | Used by us to issue payments to Boom Cards authors. | |
| Google Analytics G4 | Analytics for application performance, integrity and improvement purposes | Google Analytics G4 | We have GDPR controls turned on. We anonymize Boom App user data we send to Google Analytics. |
4. Our additional data subprocessors for interacting with adult users
The following additional subprocessors are used in our operations to support our interactions with adult users. See also our Cookie Policy.
| Name | Purpose | Links to Security and Privacy Policies | What You Should Know |
| Zoom | Video Calls and Educational Webinars | Zoom (for Business policies) | Used for onboarding and educational webinars. May be used for meetings. |
| Microsoft Office, including Teams, Bookings, Outlook, Sharepoint, OneDrive and more | Meeting and Webinars Scheduling Document management | Microsoft Trust Center | Used for onboarding and educational webinars. Email may be routed to Freshworks Used for secure document exchange |
| Cyberclan | Security services | Cyberclan | Used for email security monitoring and forensics. |
| Vimeo | Embedded Instructional Videos | Vimeo | Used for how to videos. We have a signed Data Processing Agreement for EU. May collect some data from students. |
| Quickbooks | Payment Processing | If you pay us money or receive money from us or we pay you money, your name, address, and contact data may be stored. | |
| JB Morgan Chase | Payment Processing | If you pay us money or receive money from us, your name, address, and contact data may be stored. | |
| BECU | Payment Processing | If you pay us money or receive money from us, your name, address, and contact data may be stored. | |
| The Hagen Firm | Accounting | The Hagen Firm | If you pay us money or receive money from us, your name, address, and contact data may be stored. |
| Liscio | Accounting | Liscio | If you pay us money or receive money from us, your name, address, and contact data may be stored. |
| Asana | Customer requests | Asana (for subscriber policies) | May contain copies of images, videos or messages you send requesting an improvement or change |
| Atlassian | Customer requests and bug requests | Atlassian | May contain copies of images, videos or messages you send requesting an improvement or change. May be shared with select development and test subcontractors in India and/or Vietnam. |
| The Hartford | Insurance Certficites | Hartford | Your contact information is required to generate a certificate |
| Contractbook | Contract delivery and storage | Contracts we sign with you. Contracts are stored in the European Union. | |
| Adobe Cloud | Contract delivery and storage | Contracts we sign with you | |
| Student Data Privacy Alliance | Contract delivery and storage | SDPA Privacy Policy | Contracts we sign with you |
| Google Analytics G4 | Analytics | Google Analytics G4 | Used for to understand app performance for security, integrity, and improvement purposes. |
| Zapier | Integrations of the above tools | Privacy Policy Security and Compliance | Adoption being considered but not implemented at this time |