Scholastic’s measures to ensure that its personnel and service providers abide by its security standards, contractual obligations and applicable law include a combination of technical due diligence, data security and privacy trainings, oversight, audits, periodic tests, scans and other assessments. Periodic risk assessments, audit trails and security logs also enable us to assess and remediate vulnerabilities as needed and to protect data from deterioration and degradation. Scholastic requires any service provider that processes Student Data on its behalf to comply with and maintain a data security policy that is consistent with ISO 27001, NIST, SOC 2 Trust Service Principles or other appropriate standards.

Authentication methods vary by product. For rostered Products, for example, we may require a certain level of password complexity. If Products do not use rostering and collect no Student Data, we may authenticate using an institutional site IP address provided by the Education Customer, secure referring web page, embedded URL or other method as agreed with the Education Customer to allow the user to access the Product. 

We keep Student Data for the period reasonably necessary to perform and support the services requested by the Education Customer or as required by contract, and we dispose of it (e.g., return or destroy it) at the Education Customer’s direction. Where permitted, our destruction methods may include irreversible de-identification or overwriting. Scholastic may keep back-up and similar copies of Personal Information and Student Data that it is unable to destroy using commercially reasonable measures, to the extent permitted by law. Scholastic may also keep archive copies of Personal Information and Student Data needed for audit, dispute resolution or legal compliance purposes, again to the extent permitted by law.