In the course of using Book Creator you share with us some of your most personal information: pictures, stories and videos which you have poured your heart into. Not to mention your email address and school information when you sign up.
We have always taken the responsibility of looking after your data incredibly seriously and we have structured Book Creator and how we operate around keeping this information safe. Doing this is a difficult task that needs us to make progress on several fronts. This post will remind you of our approach and announce some recent work we’ve done to stay ahead of the game in a few of these areas.
Today we are introducing:
- A new Data Protection Addendum for our EU customers.
- A detailed Transfer Impact Assessment document that outlines the legal basis for the transfer of European customers’ data to the US.
- A commitment to build a version of Book Creator that maintains data within the EU.
- An FAQ that explains the above in plain language.
Read on to find out more.
Private by Design
It costs a lot of money to build and run a service like Book Creator and that money has to come from somewhere. We have always been clear that we will never sell your data to advertisers, or anyone else for that matter. Our business model is simple: teachers and schools pay for access to Book Creator. This is a critical pillar supporting our approach to privacy without which we would not be in a position to run Book Creator. Thankfully we are able to extend the same privacy guarantees to those of you who use the free version.
Book Creator is used by students and teachers in 159 countries. There is a huge landscape of important policies, laws and regulations at the school, state, national and continental level that you need us to understand and comply with. As such we take the time to read the privacy agreements that you send us and understand the legal frameworks that inform them. We have become experts in laws such as the GDPR in the EU, national laws in America and Canada such as COPPA, FERPA and MFIPPA as well as state laws such as CSPC, NY 2D, SOPPA and many more across the world. Our knowledge of these regulations strongly influences how we build and operate Book Creator.
This is a continual process: policies, laws and regulations regarding data are always undergoing review and improvement. We follow the development of new regulation closely, listen to the guidance offered by regulatory bodies such as the EDPB and the ICO, and adjust our approach accordingly.
For those of you in the US we make it easy for you to verify these claims by maintaining a certification with the Internet Keep Safe Alliance. We also regularly sign and upload state-wide privacy agreements at the Student Data Privacy Consortium (SDPC). We always sign an “Exhibit E” which makes it really easy for you to get a contractual promise that we understand and comply with the relevant federal and state laws. Simply check the SDPC site for your state and sign and return a copy of an Exhibit E taken from an existing agreement - this PDF from the SDPC shows you how to generate and upload an Exhibit E.
If you are in the UK or the EU then we maintain a Data Processing Addendum which you can sign and return in order to be assured of our ongoing GDPR compliance. We updated this today to add a bit more detail and keep it up to date with the latest legislation.
We’ve received a lot of questions about the “Schrems II verdict” from the European Court of Justice and the recently released guidance from the European Data Protection Board. Specifically, you want to know how the transfer of data to Google Cloud in the US remains compliant in light of the above, as book data is kept exclusively on Google Cloud systems located in the continental United States. To document the risks associated with such a transfer and the many and varied approaches that we use to protect your data we have produced a detailed Transfer Impact Agreement as well as an easier to digest FAQ document that explains things in plain(er) english. We have additionally adopted and certified our usage of the new EU Supplementary Contractual Clauses with Google Cloud as described in this PDF.
Some of you have been asking us if we intend to provide a version of Book Creator that stores and processes data solely within the EU. Today we are announcing a commitment to make that happen as soon as commercially possible. This won’t be a quick process as there are quite a few things that need to happen before we can realistically offer this. For example we eagerly await Google Cloud’s recently announced Sovereign Cloud in Germany supporting all the services that we require to run Book Creator. We’ll keep you updated as things move forward.
To implement all of this we partner with Google Cloud to offer world class security. Alongside our own information security management systems, they help us implement strong protection for your data. Starting with a set of transparency and data protection principles they go on to implement a comprehensive set of systems and certifications that cover all the physical and virtual infrastructure that we rely on to provide you with Book Creator. You can read more about our work with Google Cloud in this case study and more about our security and compliance in the Google Cloud Trust and Security portal.
We hope that knowing a bit about what goes on behind the scenes will enable you and your students to keep producing amazing books, safe in the knowledge that the data you entrust to us is well looked after. We can’t wait to see what you write next.
Thom joined Book Creator in January 2020 to help run the engineering team and understand the needs of our bigger customers. He brings a strong security and privacy mindset from his years leading public cloud infrastructure teams, and doughnuts on Tuesdays.