What personal data does Goodnotes Classroom process?
After downloading our app, students must sign in with their Institution’s email address and the chosen SSO identity provider (e.g., Google, Microsoft, Apple) to create a Goodnotes Account. Goodnotes does not process the data from your SSO; instead each account is assigned a user ID.
While using the app, documents created by teachers will be stored on Goodnotes Cloud. If these documents contain personal data (e.g. age, name, gender, political beliefs, and information about one’s health), this data will also be stored by Goodnotes.
How does Goodnotes keep data secure?
We adhere to the strictest standards of data protection and cyber security as imposed under the General Data Protection Regulation. Additionally, Goodnotes is in the process of obtaining ISO 27001, an International accreditation for information security management. This means when processing your institution’s data we continually maintain data protection practices and cyber security measures designed to protect customer data.
What cyber security measures does Goodnotes take?
All data processed by Goodnotes will be stored via Goodnotes Cloud on our secure servers managed by AWS Services. All data stored here is encrypted at rest, and segregated in a private network. Access to the network is logged and we take technical and organizational measures to prevent unauthorized access to your data.
Why is there a data processing agreement in the Goodnotes Classroom SaaS Subscription Agreement?
Under data protection law, the Institution is what is known as a data controller, which means the Institution decides the purposes of processing personal data and how that data will be processed. Goodnotes, as the data processor, acts under the instructions of the Institution as to how to process data on its behalf.
The Data Processing Agreement (DPA) sets out the roles and obligations of Goodnotes and the Institution in handling user data. It defines what Goodnotes as a processor can do with user data and sets out how data should be protected. A DPA is required under the General Data Protection Regulation whenever a third party is entrusted to process data that is under another party’s control.
How does the data processing agreement protect student’s data?
Our data processing agreement complies with the requirements of the General Data Protection Regulation (EU) 2016/679, which binds Goodnotes and the Institution to comply with the strictest standards under data protection law. This protects student data by ensuring that Goodnotes takes appropriate organizational and technical measures to ensure that there is no unauthorized access to your data. Some of these protections include:
- Incorporation of the EU Standard Contractual Clauses, which ensure that any personally identifiable data which is transferred outside the UK or EEA is subject to the same level of protection as provided in the UK and EEA.
- Ensuring that any Goodnotes employee who is required to access personal data as part of their job is subject to a confidentiality obligation imposed by contract or legislation.
- Binding Goodnotes to use only sub-processors that can protect the privacy, confidentiality, and security of personal data, and by making Goodnotes liable for the acts and omissions of its sub-processors.
How will Institutions gain consent from parents or legal guardians?
As the data controller and as stipulated in the Data Protection Addendum it is the Institution’s responsibility to obtain consent from the parents and guardians of minors before they create an account.
Why does Goodnotes collect personal data?
There are various purposes for why we collect personal data. For example, we process data so we can register your account and so we can deliver Goodnotes services. Each of these correspond to lawful grounds under General Data Protection Regulation (EU) 2016/679. You can see a full list of these purposes along with the corresponding types of personal data collected in section 2.5 of our Privacy Policy: https://www.goodnotes.com/privacy-policy#Keeping-your-data-secure.
Does Goodnotes share student data with other third parties?
We share data only with sub-processors that are necessary to provide the services to you. A full list of these sub-processors can be found in Annex 1 of our SaaS Licence Agreement.
What measures can Institutions take to protect our student data?
Institutions should take necessary measures to ensure that students keep their credentials confidential. Additionally, Institutions should limit the amount of personal data students input into documents. Personal data may include age, name, gender, political beliefs, and information about one’s health.