MDM Academy Data Governance Plan
For School Districts & Administrators
For District Technology Directors
This document provides the technical and procedural details needed for your district’s technology review process. MDM Academy is designed to meet the requirements of NJ Administrative Code 6A:32-7 (Student Records) and aligns with the SDPC National Data Processing Agreement framework.
1. Data Classification
| Classification | Data Elements | Protection Level |
|---|---|---|
| Directory Information | Student first name, last initial | Standard encryption |
| Education Records | Reading levels, quiz scores, writing responses, phonics progress | Enhanced encryption + access controls |
| Teacher Professional Data | Name, email, school, voice recordings | Standard encryption + consent-based |
| Not Collected | SSN, DOB, address, phone, photos, biometrics, health data, financial data | N/A — never collected |
2. Data Processing Agreement (DPA)
MDM Academy offers a Data Processing Agreement aligned with the Student Data Privacy Consortium (SDPC) National DPA. Our DPA covers:
- Exhibit A: Description of data elements collected and purposes
- Exhibit B: Data security plan and technical safeguards
- Exhibit C: Subprocessor list with data handling descriptions
- Exhibit D: Breach notification procedures
- Exhibit E: Data deletion certification process
Request a DPA: Contact [email protected] with your district name and we will provide a pre-filled DPA for your review within 5 business days.
3. Data Lifecycle Management
3.1 Collection
- Student data is collected only when a teacher adds students to a class
- Minimum necessary data principle: only first name, last initial, reading level, and age group
- No automated data collection from student devices (no cookies, no tracking pixels, no device fingerprinting)
3.2 Storage
- All data stored in encrypted cloud databases (AES-256 at rest)
- Data centers located in the United States
- No data stored on student devices beyond session cookies (12-hour expiry)
- Backups encrypted and retained for 30 days for disaster recovery
3.3 Retention Schedule
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Student records | End of school year or subscription | Automatic prompt + school confirmation |
| Reading/quiz data | Same as student records | Cascade deletion with student |
| Writing responses | Same as student records | Cascade deletion with student |
| Teacher accounts | Until school requests removal | School admin or teacher request |
| Voice recordings | Until teacher requests removal | Teacher consent withdrawal |
| Server logs | 90 days | Automatic rotation |
3.4 Deletion
- Schools can request deletion at any time via email to [email protected]
- Deletion is completed within 30 days of request
- A deletion certification is provided to the school upon completion
- Backup copies are purged within 30 days of the deletion request
4. Access Controls
| Role | Access Level | Authentication |
|---|---|---|
| Student | Own reading data, stories, rewards only | Class code + name selection (no password) |
| Teacher | Own classes and students only | Email + bcrypt-hashed password |
| MDM Admin | Platform operations (no student PII access) | OAuth + MFA |
5. Incident Response Plan
- Detection: Automated monitoring for unauthorized access attempts, unusual data access patterns, and system anomalies
- Containment: Immediate isolation of affected systems within 1 hour of detection
- Notification: School district notified within 72 hours of confirmed breach
- Investigation: Full forensic analysis with findings shared with affected districts
- Remediation: Implementation of corrective measures and updated security controls
- Documentation: Complete incident report provided to affected districts
6. Compliance Certifications
FERPA
School official exception; legitimate educational interest only
COPPA
School consent model; minimal data collection; no behavioral advertising
NJ Student Data Privacy Act
No sale of data; no non-educational profiling; breach notification
SDPC National DPA
Aligned with Student Data Privacy Consortium framework
7. Annual Review
This Data Governance Plan is reviewed annually and updated as needed. Schools will be notified of material changes at least 30 days before they take effect. The most recent version is always available at this URL.
8. Contact
Data Governance Inquiries
Email: [email protected]
School partnerships: [email protected]
DPA requests are processed within 5 business days.