Distributed Website Corporation, dba rSchoolToday, is a Florida-based company founded in 1993 that provides cloud-hosted Web-based software applications for K-12 schools, districts, colleges, universities, and educational associations in the “software as a service” (SaaS) model.
As a vendor to educational agencies and institutions (hereafter “Schools”), rSchoolToday (hereafter “RST”) receives disclosures from Schools and parents of personally identifiable information. Only information that is needed for RST to perform services outsourced to it by the School is disclosed to RST. These disclosures are authorized under the Family Educational Rights and Privacy Act (FERPA), a federal statute that regulates the privacy of student records by Schools that receive financial assistance from the U.S. Department of Education.
RST, as a contractor to the School, receives the disclosures on the same basis as school officials, consistent with FERPA regulations, 34 CFR §99.31(a)(1)(i)(B). Consistent with those regulations, RST has a legitimate educational interest in the information to which it is given access because the information is needed to perform the outsourced service, and RST is under the direct control of the School in using and maintaining the disclosed education records, consistent with the terms of its contract.
RST is subject to the same conditions on use and re-disclosure of education records that govern all School officials, as provided in 34 CFR §99.33. In particular, RST must ensure that only individuals that it employs or that are employed by its contractor, with legitimate educational interests – consistent with the purposes for which RST obtained the information -- obtain access to personal Information from education records it maintains on behalf of the district or institution. Further, in accordance with 34 CFR §99.33(a) and (b), RST may not re-disclose personal information without consent of a parent or an eligible student (meaning a student who is 18 years old or above or is enrolled in postsecondary education) unless the School has authorized the re-disclosure under a FERPA exception and the agency or institution records the subsequent disclosure. An example of such a disclosure is when RST is requested by a school district to transfer some part of student records from our system to another system.
RST will not sell or otherwise use or re-disclose education records for targeted advertising or marketing purposes. RST uses data within its products only to deliver the services contracted by the educational institution.
RST does not own any student data, personal data, or district-created data within its products. The data within RST products are property of, and under the control of the School.
The input, collection, use, retention, disposal, and disclosure of any information in our software applications are controlled solely by the Schools which license our products.
RST employs operational and technological measures to ensure data security and privacy, including advanced security systems technology, physical access controls, and privacy training for employees and partners. RST employs a Security Manager to implement and improve RST security practices and procedures.
All data is housed within the United States. Details about security audits and company policies which support the RST security programs are available under a non-disclosure agreement.
All employees of RST are required as part of employment to sign an Acknowledgement and Agreement of Policies that commits the employees to comply with RST's data privacy and security policies and receive required security and privacy training, including training regarding the prohibition on disclosure of student data.
In the event any third party (including the eligible student or parent/guardian of the eligible student) seeks School records, RST will immediately inform the School of such request. RST will not provide access to such data or information or respond to such requests unless requested to do so by the School or compelled to do so by court order. Should RST receive a court order or lawfully issued subpoena seeking the release of such data or information, RST shall provide notification, along with a copy thereof, to the School prior to releasing the requested data or information, unless such notification is prohibited by law or judicial and/or administrative order or subpoena.
In such an event where a parent, legal guardian, or eligible student seeks to make changes to the data within RST products, parents, legal guardians, or eligible students shall follow the procedures established by the School in accordance with FERPA. Generally, these procedures establish the right to request an amendment of the student’s education records that the parent or eligible student believes is inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
Parents or eligible students who wish to ask the School to amend their child’s or their education record should write an School official, clearly identify the part of the record they want changed, and specify why it should be changed. If the School decides not to amend the record as requested by the parent or eligible student, the School will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures would be provided to the parent or eligible student when notified of the right to a hearing.
In the event RST becomes aware of a data breach or inadvertent disclosure of Personal Information, RST shall take immediate steps to limit and mitigate such security breach to the extent possible. An RST Staff person will notify a senior member of the affected School’s leadership team, ideally the Superintendent or similar chief executive. This typically will occur within 24 hours of confirmation of the event and would include the known relevant details. The School and RST will work cooperatively in determining an action plan, including any required notification of affected persons. In the event that RST is at fault for the breach or disclosure, RST carries a $1,000,000 cyber-liability insurance policy that provides for a number of potential remedies, such as credit monitoring for affected parties, fraud coverage, crisis management communications coverage, business interruption coverage, and data restoration coverage, among others.
In the event of termination of a license to use our products, RST works with the School in accordance of the terms of the School’s contract, to destroy all student records contained in our systems and then will permanently delete all archival or backup copies of the School’s data. RST shall not knowingly retain copies of any data or information received from School once the School has directed RST as to how such information shall be destroyed. Furthermore, RST shall ensure that it disposes of any and all data or information received from the School in a commercially reasonable manner that maintains the confidentiality of the contents of such records (e.g. erasing and reformatting server hard drives). At the request of the School, RST will provide a written certification of destruction.
To the extent parents, guardians or students have questions regarding the content of, or privacy associated with, any applications used by the School, please contact that School.
RST may, from time to time, update this policy to be in compliance with evolving state and federal laws and regulations. We will not materially change our policies and practices to make them less protective of your privacy without the written consent of the School. The School may rely upon any and enforce any current or prior version of this policy unless otherwise agreed to in writing.