Flint Inc (flintk12.com)
|
Last Updated: December 18th, 2024
The Flint K12 platform processes personal data through its educational technology infrastructure and AI-powered features. The core AI services are provided by two main sub-processors, Anthropic and OpenAI, with all data storage and platform hosting managed through Amazon Web Services (AWS). The system creates interactive educational activities by processing teacher-uploaded materials and student interactions while maintaining strict data privacy controls.
The platform's data processing occurs through secure rostering integrations with Student Information Systems (SIS) and Learning Management Systems (LMS). AI systems interact with this data solely to personalize educational experiences based on explicit inputs from teachers and students, with no student data used for AI model training or stored beyond its educational purpose. All processing occurs through secured API interactions with the designated AI providers.
The platform processes personal data to manage user authentication and access control through approved single sign-on systems (Google and Microsoft). It tracks and assesses student learning progress within the educational context while facilitating communication between students and AI-powered educational tools. The system creates and delivers personalized educational content based on teacher requirements, maintains necessary records for educational assessment and progress tracking, and supports school administrative functions through roster management and course organization.
The platform collects and processes several categories of personal data. Basic identification data includes names (first and last), email addresses, Google profile pictures (when provided), and account credentials for authentication. Educational data encompasses course enrollment information, associated courses at the school, learning progress data, and assessment results. System usage data includes browser type and operating system, web pages viewed and links clicked, time spent on various platform features, language preferences, device name and model, and IP address (for system functionality only). Student-created content comprises chat message history with AI chatbots, assignment submissions, essay texts, audio recordings (where applicable), and other educational contributions.
All data processing and storage operations are conducted within the United States through a robust infrastructure. The storage architecture maintains primary data storage on AWS servers within the United States, implementing a triple-redundancy backup system across different U.S. regions. While no EU-specific data storage is currently maintained, the company is compliant with EU-U.S. Data Privacy Framework (DPF).
Data flow paths begin with initial data collection through secure school system integrations, followed by processing through approved sub-processors: Anthropic, OpenAI, and AWS. All data transfers utilize encrypted connections, and access to data is strictly controlled through role-based authentication.
The platform retains data indefinitely while accounts are active, unless deletion is specifically requested. Upon receiving a deletion request, all associated data is removed within 30 days. Account-linked data is maintained only for the duration of active user accounts, with backup data retained in accordance with the triple-redundancy system requirements. Schools can request complete data deletion for their entire institution at any time.
Authentication data, including names, emails, and credentials, serves as the foundation for secure account management and access control. This information is essential for maintaining user security, enabling communication, and ensuring compliance with educational privacy regulations. Educational data, comprising course enrollment and progress information, is fundamental to providing core educational services and facilitating appropriate content delivery. This data enables accurate tracking of student progress and supports teacher assessment and feedback processes. Usage data regarding system interactions is required for maintaining functionality, improving user experience, and ensuring service reliability through effective troubleshooting and optimization.
The platform's data processing approach demonstrates strict proportionality to its educational objectives. Only essential student information is collected and processed, with all data processing strictly limited to educational purposes. The platform prohibits any marketing or commercial use of student data, ensuring that each data element collected serves a specific, documented educational purpose. All processing activities are carefully aligned with school requirements and educational needs, maintaining a balance between functionality and privacy protection.
The current implementation represents the minimum data processing necessary to achieve the platform's educational objectives. Alternative approaches would require more extensive data collection or processing, making them less privacy-protective. The platform operates on data minimization principles, carefully balancing the need for functionality with privacy concerns. Any reduction in data collection would compromise core educational functionality, while the current processing methods are optimized for privacy while maintaining service quality.
The platform acknowledges several potential risks for student users, particularly minors. These include unauthorized access to educational records and personal information, potential misuse of student-created content, privacy concerns related to AI interaction history, and risks associated with long-term data retention and cross-border data transfer. For teachers and administrators, risks encompass access control and authentication security, professional privacy concerns, data accuracy and integrity risks, and system access management challenges.
The platform's AI implementation presents specific considerations that require careful management. Content appropriateness and safety risks from AI-generated materials are closely monitored, along with potential unintended bias in AI interactions. The system addresses transparency concerns regarding AI decision-making processes and maintains strict data processing boundaries between AI services and student data.
The platform implements comprehensive technical security measures, including end-to-end encryption for all data transmission, role-based access control systems, regular security audits and updates, and a triple-redundancy backup system. Organizational security measures complement these technical controls through clear privacy policies and procedures, an appointed Data Protection Officer, incident response planning, and regular security training and updates.
The platform implements specific protections for sensitive data, ensuring that educational records are protected under FERPA guidelines and that enhanced protections are in place for users under 13 in compliance with COPPA. Strict controls govern access to student personal information, with special handling procedures for any sensitive educational content.
A comprehensive system of technical controls protects data throughout its lifecycle. End-to-end encryption secures all data transmission, while secure storage with encryption at rest protects stored information. Protected API interactions with sub-processors and regular security patches and updates maintain system security. Access controls include role-based management, multi-factor authentication options, session management and timeout controls, and thorough audit logging and monitoring.
The platform maintains a robust policy framework including comprehensive privacy policies, regular staff training programs, incident response procedures, and detailed data handling guidelines. The management structure includes an appointed Data Protection Officer, clear reporting lines for security incidents, regular policy reviews and updates, and thoroughly documented security procedures.
COPPA compliance measures include stringent parental consent requirements, age-appropriate privacy controls, restricted data sharing, and enhanced security measures. Educational privacy is maintained through FERPA compliance controls, school-based authorization systems, limited data collection from minors, and strict access controls.
The platform maintains clear processes for access request management, including a straightforward process for submitting requests, a 30-day response timeline, verification procedures, and documentation requirements. The rights exercise framework includes defined procedures for each right, school-based request coordination, clear communication channels, and regular process reviews.
The platform maintains strict data usage limitations, ensuring no student data is used for AI model training. A clear separation exists between AI processing and student data, with regular quality assessments of AI outputs and documented data handling procedures.
Transparency measures include clear documentation of AI usage, regular audits of AI interactions, teacher oversight of AI-generated content, and explicit consent requirements for AI features.
The platform implements strict decision process controls, avoiding autonomous decision-making entirely. All personalization is based on explicit inputs, with mandatory teacher review requirements and clear documentation of AI influence.
A comprehensive monitoring framework includes regular content safety audits, active bias detection systems, teacher review processes, and continuous monitoring protocols.
The platform's processing activities are grounded in clear legal bases, including contractual agreements with educational institutions, parental consent frameworks, educational necessity, and legitimate interests assessment.
The platform maintains comprehensive compliance with multiple regulatory frameworks, including GDPR requirements, EU-U.S. Data Privacy Framework registration, FERPA guidelines, COPPA regulations, and local education laws.
Third-party management is strictly controlled, limiting data sharing to essential sub-processors with whom DPAs are maintained. No commercial data sharing occurs, and regular compliance reviews ensure ongoing adherence to privacy requirements.
Transfer safeguards include EU-U.S. Data Privacy Framework compliance, standard contractual clauses, regular transfer impact assessments, and documented transfer procedures. These mechanisms ensure compliant international data transfers while maintaining data protection standards.
