Privacy statement
Last updated based on version 2.4 (25 September 2023).
I: General information
Name of product and/or service
NXT Chapter Ltd.
Name of Processor and registered address
NXT Chapter Ltd. Corleseweg 22 7102 EV, Winterswijk
Short explanation and operation of the product
Monitoring students’ reading skills and reading enjoyment through speech-to-text algorithms, so teachers can proactively provide strong reading instruction and better support students in choosing a suitable and enjoyable book without extra time investment.
Link to supplier and/or product page
https://www.schoollibraryapp.com/Target group
Primary education, lower and upper grades
Users
Students, teachers, support staff and supporting partners.
II: Standard processing activities
Processing activities that are an inseparable part of the basic services offered by NXT Chapter.
- Processing personal data, including reading activities of individual students (data subjects), for the student themselves.NXT Chapter records which books each student reads, what the student thinks of those books and how many pages the student has read. In addition, NXT Chapter processes reading recordings from which individual reading-skill data is derived. Results are stored systematically to provide insight into reading activities, reading development and reading enjoyment.
- Making personal data, including individual students’ reading performance, available to teachers via LeesNXT Chapter.The dashboard made available to the educational institution, teacher and student enables quick insight into reading activity, reading development and reading enjoyment. The institution administrator is responsible for assigning rights to specific users. These rights determine which user may view which student data.
- Creating backups.Personal data processed by NXT Chapter for the educational institution is secured through backups. If an NXT Chapter server fails, service can continue after reinstallation with minimal loss of reading-performance data.
III: Purpose of the standard processing activities
NXT Chapter provides digital learning and testing tools. Through the processing of personal data within these products (see section II), it supports educational institutions in achieving the following objectives.
- Tracking students’ reading-skill development by the educational institution and/or teacher, including guidance of learners.
- analysis and interpretation of reading performance;
- storage of reading performance;
- downloading reading performance by the educational institution;
- creating a reading profile based on reading history and related interests.
- Delivering and enabling use of LeesNXT Chapter according to agreements between the educational institution and the Supplier.
- Providing access to NXT Chapter and external information systems, including identification, authentication and authorization.
- Security, control and prevention of misuse and improper use, and preventing inconsistency and unreliability in processed personal data.
- Continuity and proper functioning of NXT Chapter according to agreed arrangements, including maintenance, backups and improvements after detected errors or inaccuracies.
- Research and analysis under strict conditions, comparable to existing codes of conduct in research and statistics, for optimizing learning processes or educational policy.
- Making non-directly identifiable or anonymous statistical data available by the educational institution for research and analysis to improve educational quality.
- Making personal data available where necessary to comply with legal requirements applicable to Digital Educational Resources.
- Execution or application of another law.
IV: Categories and types of personal data
Description and overview of data-subject categories used:
The Processor applies retention periods of at most 3 months after deregistration.
- Teachers
- Students
- Support staff
- Supporting partners
| Status | Category | Explanation |
|---|---|---|
| - | 1. Contact details | Full name, gender, date of birth, email, school year, class |
| - | 2. Student number | An administrative number identifying students |
| n/a | 3. Nationality | |
| n/a | 4. Parents, guardian | Data as referred to under 1, relating to parents or guardians of students |
| n/a | 5. Medical data | Data necessary for health or wellbeing of the data subject, or at own request, where necessary for education |
| n/a | 6. Religion | Data concerning religion or beliefs, where necessary for education or at own request |
| - | 7. Study progress | Results of AVI reading tests taken with the Leesapp |
| - | 8. Educational organization | Data for organizing education and providing learning resources |
| n/a | 9. Finance | Data for calculating, recording and collecting fees/contributions and the data subject’s bank account number |
| - | 10. Visual material | Photos and videos (with or without audio) of institution activities |
| - | 11. Teacher, care coordinator, internal supervisor, dean, mentor | Data of teachers and supervisors insofar as relevant for organization and educational delivery |
| - | 12. Other data | Audio recordings of students reading aloud |
| n/a | 13. BSN/PGN | |
| - | 14. Chain ID (ECK-ID) | Unique ID for the educational content chain, enabling institutions to share data without direct identifiability of participants or teachers |
V: Storage of processed personal data
NXT Chapter and its Sub-processors process personal data as much as possible within the European Union. Only when the educational institution uses customer service via WhatsApp is a Sub-processor outside the European Economic Area used. That Sub-processor is certified under the Data Privacy Framework.
VI: Sub-processors
By signing the Processing Agreement, the educational institution gives the Processor general written permission to engage Sub-processors. The Processor may use other Sub-processors, provided prior notice is given and the educational institution can object within a reasonable period.
At the time of concluding the Processing Agreement, the Processor uses the following key Sub-processors:
The Processor also uses several other Sub-processors (for security monitoring, customer service, chat service, et cetera). A list can be consulted via: https://www.schoollibraryapp.com/subverwerkers.
- NXT Chapter Ltd., Winterswijk, for part of the operational execution of the Processing Agreement (EU storage).
- Google Cloud Services, Amsterdam, for hosting activities (EU storage) and transcription of audio fragments.
VII: Contact details
For questions or comments regarding this statement or operation of this product/service, please contact NXT Chapter Ltd., Corleseweg 22, 7102 EV, Winterswijk, phone 0850000536, [email protected], or the Data Protection Officer of NXT Chapter via [email protected].
VIII: Version of processing agreement
Version 2.4, 25 September 2023
Appendix 2: Technical and organizational security measures
In accordance with the GDPR and articles 7 and 8 of the Model Processing Agreement, the Processor must implement appropriate technical and organizational measures to secure personal-data processing and demonstrate those measures. This appendix provides a concise description and overview.
Information security standards
The Processor must demonstrate to the educational institution whether and how appropriate technical and organizational measures have been taken to ensure and demonstrate that processing complies with the GDPR and the Model Processing Agreement.
Minimum security measures and demonstrability
- A classification of the product or service in terms of availability, integrity and confidentiality.The Processor has classified processed personal data in terms of availability, integrity and confidentiality. Based on that classification, measures were taken to reduce risks. NXT Chapter uses the ROSA Information Security and Privacy Certification Scheme classification tool (version 2.01) from Edustandaard, and reassesses this annually.
- Availability: High (3)
- Integrity: Medium (2)
- Confidentiality: High (3)
- A description of the extent to which the minimum security measures under GDPR article 32 are met.
- The Processor has suitable policy for securing personal-data processing. This policy is periodically evaluated and updated where needed. The EDU ROSA standard, based on ISO 27001 and ISO 27002, is the guiding framework.
- Information-security incidents are documented and used to optimize security policy.
- NXT Chapter has a process for communication about information-security incidents.
- Confidentiality statements and security agreements are in place with employees. Awareness, training and education on information security and privacy are actively stimulated. Through authorization design, employees access no more data than necessary.
- Availability controls include active traffic monitoring, cold standby (with warm standby implementation in progress), design checks on critical dependencies, continuous monitoring with alerts, unit/integration/end-to-end testing, periodic patch monitoring and DDOS alerting with firewalls.
- Integrity controls include monitoring of key fields, daily full backup plus hourly incremental backup (RPO 1 hour), input controls, active logging with alerts and follow-up, unique user IDs, antivirus/malware/patch management/secure coding, logging of configuration changes and ransomware-awareness measures.
- Confidentiality controls include deletion processes on request, role-based access with strong passwords and periodic renewal, multi-factor authentication where required, physical security via Google, network segmentation with whitelisting/firewalls, environment separation with pseudonymized test data, encryption in transit and at rest, logging and periodic risk/threat analysis with vulnerability scanning and penetration tests.
- Assessment of implemented measures against (inter)nationally recognized information-security standards.Each year, NXT Chapter assesses classification and the design/existence of related measures against the ROSA information security and privacy certification framework. Necessary actions are identified and prioritized to ensure appropriate protection of entrusted personal data.
- Security incidents and/or data breaches.In case of a (suspected) security incident and/or data breach, the educational institution can contact NXT Chapter Ltd., Corleseweg 22, 7102 EV, Winterswijk, phone 0640545142, available Monday to Friday from 09:00 to 17:00. Outside those hours, contact [email protected].
- Informing about data breaches and/or security incidents.NXT Chapter uses a fixed protocol for incident and breach notifications. It always informs the educational institution’s DPO (or management if absent) within a maximum of 24 hours after detection. The procedure includes at least:
- How incidents are monitored and identified.
- How information is shared (email, phone).
- Who is informed (contacts and contact details), and with whom NXT Chapter coordinates follow-up.
- Which information is always shared about an incident.
- Characteristics of the incident (date/time of detection, summary, nature and impact on reading/copying/modifying/deleting/destroying/theft of personal data).
- Cause of the security incident.
- Measures taken to prevent (further) damage.
- Affected parties and degree of impact.
- Scale of affected data subjects.
- Type of data affected (especially special/sensitive data, such as access/identification data, financial data or learning performance).
- Any agreements on whether and how the Processor can notify the Dutch Data Protection Authority.