How Dybuster Handles Data

Dybuster cares about your privacy. We handle the data entrusted to us carefully and use it solely for the purpose of supporting the software’s users. This page provides a summary of our learning support systems and explains what data is stored for which purposes and what technical precautions are taken to protect that data.

Table of Contents

Summary of the Dybuster Training Systems
Training and Coaching
Licenses and User Management
Data Security and Protection
Anonymous Accounts
Access to Data Controlled by User Roles
Use of Data by Dybuster
Normal Course of Action
Maintenance and Support
Transmitted and Stored Data
Password Policy
Data outside of the Dybuster Training Systems
Technical Provisions
Hosting Facility and Location
Data Encryption
Back-ups
Regulations
Governing Law
Data Privacy Officer

Summary of the Dybuster Training Systems

Training and Coaching

The Dybuster training systems, Dybuster Orthograph for writing and Dybuster Calcularis for math skills, are computer based training systems. The systems automatically evaluate the trainees' input, i.e. their answers to the posed tasks, and so estimate individual difficulties and strengths of the trainees with respect to the writing and math tasks contained in the training systems. Based on these estimations, the systems compute individually optimized learning plans. Trainees can work on their own with the training applications, while their parents and/or educators can supervise and support them using the coaching applications.

Initially, the training systems should be used 3 to 4 times a week for 15 to 20 minutes for an equivalent of 3 months or 12 training weeks. To allow for such regularity, a trainee can use the training applications on as many devices as the trainee has access to. In order for the trainee to continue working where he/she stopped on a different device and with his/her own individualized learning plan, the trainee's progress and learning plan is stored on a server. Besides the trainee, also his/her parents and/or educators can access the progress and learning plan data through the coaching applications in order to support the trainee. The exchange between the devices and the server is through the internet.

Figure 1: Overview of the Dybuster system and the data transmitted

To be able to provide an individualized learning plan, each trainee must be uniquely identifiable through his/her own user name. Also his/her parents and/or educator need to be uniquely identifiable through their user names in order to monitor that only persons entitled to access the trainee's data through the coaching applications are allowed to do so.

Licenses and User Management

Licenses, which grant access to users to the Dybuster systems, are rented for a limited time span, usually for 6 or 12 months. In case of private licenses, parents register a parent user for themselves and student users for their children, which will be associated with their parent user. In order for Dybuster and/or its distribution partners to invoice the parents, they must provide their real name and address, which will remain linked to their parent user for license validation and renewal. Providing their children's names or any other information about their children however is not required.

In case of institutional licenses, institutions acquire a teacher user with administration rights from Dybuster or one of its distribution partners. This teacher user with administration rights can generate teacher users, who in turn can generate student users for their students. The administrator user remains associated with the teacher users and they remain associated with their student users, indirectly also establishing an association between the teacher user with administration rights and the student users. For invoicing and communication, the institution must provide its name and address as well as the name of a contact person to Dybuster or one of its distribution partners. This information will be linked to the administrator user together with the license information for that institution. For teacher and student users, the validity of their license is checked through their association to the administrator user. Providing a real name or any other personal information about the teacher and student users is not required.

In case of a school district acquiring a license, the school district obtains a district administrator user, who in turn can create the institutions and their teacher users with administration rights. This will extend the chain of user associations from student users to teacher users to teacher users with administration rights to district administrator users. Only the district has to provide a real name and address for invoicing and communication purposes.

Data Security and Protection

General Remark: "Anonymous Accounts"

As mentioned above in Licenses and User Management, providing one address and contact person per customer (school district, school, family,...) is sufficient. Especially, no first or second names of students have to be provided. Only user names and passwords are mandatory. In order to make it nearly impossible for anybody to link a real student to a Dybuster student user, an educator or parent can use "anonymous usernames" like "MineyMouse27" or "batman493", and additionally also use non-specific passwords like "dog" or "i9Pxkr3". In this way only the educator or parent, who set up the student user(s), know the real student behind the user name (of course the student itself also has to know its user name).

First and family names of any user (teachers, students, administrator), e-mail address and gender can be provided as non-mandatory information. This information is used to address the students more personally, which drives engagement. Educators can e.g. print certificates for students, which will use the real name if available:

Figure 2: Certificate of Dybuster Orthograph for a student user. On the left, first and family name were provided for the users, which makes the certificate more personal and individual.

In Dybuster's experience, more than 95% of all institutions store the real names for their students, as it is more personal and therefore more engaging. It also facilitates handling by educators, as they can e.g. organize reports by real names instead of remembering user names. Providing an e-mail address allows sending certificates and reports automatically to student users. The gender is used to address them correctly in languages where boys and girls are addressed differently.

In Dybuster's opinion, the advantages of providing the non-mandatory information, especially the first name, is larger than the possible risks, which Dybuster rates quite low, because the data stored is hardly sensitive. It mostly consists of a list of answers to the tasks in the Dybuster training applications, albeit on a per user basis, see section above. Especially, it does not contain any information about grades, ethnicity, educators' assessments, social information etc. The most sensitive information in Dybuster's opinion is that a student is using Dybuster tools at all, because Dybuster tools are generally more frequently used by children with learning difficulties than by children without any learning problems. Therefore, using Dybuster tools might hint at learning difficulties.

District administrators and administrators of institutions can define within the Dybuster user management system a district or institution wide policy, that student users can only be generated with randomized user names and passwords, and that no other information about them can be provided.

Access to Data Controlled by User Roles

For institutions, Dybuster uses a multi-tier user hierarchy as follows:

Dybuster

Partner Users*

District Administrators

Teacher Users*

Student Users

For private users, the level of "District Administrators" does not exist and the level of "Teacher Users" is replaced by "Parent Users".

Each user can create users on the next lower level and define how many users they can create in turn on the next lower level. One or more "Teacher Users" in an institution can be given the role of the "Institution Administrator", allowing them to create other teacher users, and assign them the role of the Institution Administrator, too. One or more "Partner Users" in a partner entity can be given the role of "Partner Administrator", allowing them to create other partner users and assign them role of a partner administrator, too.

Each user can create reports only for the users created further down under his/her user. A user cannot access any data of any user not in his/her own section of the user hierarchy except from Teacher Users that are given the role of Institution Administrator, who can also create reports on the usage within the entire institution and by Student Users of other Teacher Users.

Use of Data by Dybuster

Normal Course of Action

Dybuster and its partners only use the user data, especially the student data, for the intervention and training services and for improving them. Especially, Dybuster and its partners do not use the data for marketing purposes, behavioral advertising, profiling purposes (other than individualize learning plans for the intervention itself), selling to third parties etc.

Dybuster reserves the right to use the usage data (current learning state and log of user actions) for its own research and continued development, once it anonymized it i.e. broke the connection between the usage data and the user. It also reserves the right to show the effectiveness of the intervention on aggregated, de-identified sets of data.

This use of data complies with legislation, especially with the Swiss law on data protection and privacy, see Regulations.

Maintenance and Support

For maintenance and updates to its hosting environments (see Hosting) there is no need for Dybuster employees or employees of its distribution partners to access individual data of users. It might be necessary to move blocks of data around, e.g. in case of re-organization of data structures, or data formats might be automatically changed or extended in order to support new features and new versions of the applications. Such actions however will be performed globally and anonymously without "looking" at the data whenever feasible.

In individual support incidents, i.e. incidents where a customer or user contacts Dybuster or one of its distribution partners concerning a problem of a specific user account, direct access and possibly also manual inspection of the user data of that account might be necessary. Neither Dybuster nor its distribution partners will perform such an inspection without prior contact by the customer or user.

The user data is stored by a random ID and not by a specific identifier like e.g. the user name. In most support incidents, communicating the random ID is sufficient, so that Dybuster does not even have to know the user name, institution, or similar. (The connection between the user data and the user name is stored separately and does not have to be retrieved for most support cases.)

Transmitted and Stored Data

The following table lists the data transmitted and stored and explains how all data gathered is necessary to perform the Dybuster services as explained above in Use of Data.

What is transmitted and stored? How is the transmitted data used?
User name, password The user name is linked to a random ID, which in turn is used to access the user's data. The password is used to decide if access should be given to that user. Also the validity of the user's license is checked.
Addition personal information (where provided): first and second name, e-mail-address, gender First and second name are used for displaying purposes only, like greeting a student by its first name instead of its user name.
Information about the user's institution: Dybuster ID, address, higher level users (teacher users, administrator users and/or parent users) The information about the institution is used to check the validity of the license. Also, it is used to display the address on e.g. reports.
Usage data: current learning state The current learning state allows the user to continue to work on a different computer instead of training the same in parallel on different computers.
Usage data: log with almost every input to Dybuster applications by a user. This information is condensed to a summary of the work (learning times, error types, solved tasks, etc.) presented to the educators in the coaching applications. Only with this information are the educators capable of best assisting a student. Further aggregated reports can be generated on institution and district level.
Technical data about the training session, especially: login- and logout time, version number of used program, computer ID This information is mainly used for technical support in case of errors. Additionally, it allows the educators to see in the coaching applications if there were connection issues.
In case of crashes of the installed version of Dybuster Calcularis: the user is asked if information about the crash should be sent to Dybuster. Targeted support.

Dybuster does not store any credit card information. If customers pay by credit card through the Dybuster web shop, then the entire credit card processing is handled by a certified service provider.

Password Policy

The passwords are transmitted as salted MD5 hashes. The customers can choose if the passwords should be stored by Dybuster in plain text or as hashes, too. The default is storing the passwords as hashes.

It is industry standard not to save the plain passwords of users but to store a hash of the password that allows to verify a password without reproducing it. This means that neither Dybuster nor any of its distribution partners will know a user's password, but that Dybuster can verify that they are valid. It also means that a user will not be able to see the password he/she selected. The only way to obtain a password is through a password reset mechanism, which in turn will require either an e-mail address or the superior user to set a new password altogether.

Dybuster suggest storing the student passwords in plain text. This is a lot more user friendly for educators, as it allows them to see the passwords of their students and e.g. print an instruction letter for home use containing the students’ credentials.

District administrators and administrators of institutions can define within the Dybuster user management system a district or institution wide policy on only using hashed passwords and for password complexity, length and expiration.

Data outside of the Dybuster Training Systems

As part of its marketing activities and to maintain customer relationships, Dybuster AG offers that individuals can sign up for e-mail newsletters and receive information about their program usage and licenses. The registration can be done without using the Dybuster training system. At the same time, it is not a prerequisite for the use of any trial versions. Finally, unsubscribing from the mailing lists is possible at any time.

Dybuster manages the corresponding mailing lists on the platform of MailChimp (www.mailchimp.com) and Customer.io (www.customer.io), and transmits the e-mail addresses as well as a minimum of additional data, which necessary to organize the newsletter, to MailChimp and Customer.io. The additional data, if provided by the person to Dybuster, are:

  • The language of the person, so that the messages can be sent in the appropriate language.
  • The name of the program (Orthograph or Calcularis or both) that the person uses or is interested in, and whether it is an institutional or private interest, so that the content relevant for the interests can be provided.
  • Possibly expiration dates of licenses to distinguish customers from non-customers in the newsletter.
  • First and last name of the person in order to address him/her in a friendly way.
  • Dybuster username to reference this username in the message or newsletter, if the person forgot the username.

The data will only be used to send Dybuster-related communications and newsletters. In particular, Dybuster does not promote other products or services or run online advertising. Neither MailChimp nor Customer.io themselves use the data provided by Dybuster and will not disclose it to third parties, unless this disclosure is describedin the "Data Processing Agreement" between Dybuster and MailChimp or Customer.io, so that MailChimp and Customer.io may provide critical services such as protection against abuse. This corresponds to the current case law in Switzerland, the EU and the USA. Dybuster, MailChimp as well as Customer.io comply with all legal regulations in these areas.

Technical Provisions

Hosting Facility and Location

Dybuster hosts the user data in different data centers depending on the location of its customers. All data centers and hosting environments used by Dybuster for user data fulfill the following conditions:

  • All servers are dedicated servers.
  • The servers are protected by dedicated firewalls.
  • The data centers guarantee an uptime of 99.99%.
  • Dybuster keeps operating systems, open source software and other software up to date.

U.S. Customers (us.dybuster.com)

The user data of U.S. customers is hosted in the U.S. This complies with federal law about storing student data within the U.S. The hosting facility complies with SOC 2 and PCI standards.

In order for a customer and all its associated users to be identified as located in the U.S., the customer has to provide the U.S. as its country (e.g. as part of the customer's address) to Dybuster or its distribution partner.

Canadian Customers (ca.dybuster.com)

The user data of Canadian customers is hosted in Canada. This complies with state law about storing student data within Canada.

In order for a customer and all its associated users to be identified as located in Canada, the customer has to provide Canada as its country (e.g. as part of the customer's address) to Dybuster or its distribution partner.

European and other customers

The user data of European customers and customers not explicitly mentioned above is hosted in Germany. Germany is a member of the European Union, governed by the European Union's laws on data protection, privacy and security.

For most countries, including all countries of EU and Switzerland, Germany is considered a "Save Harbor Country" for user data by the regulators. "Save Harbor Country" means that data hosted in Germany is as well protected as if hosted in the countries of the customers themselves.

Data Encryption

The following encryption systems are used to protect the data of users:

  • All communication involving user data (i.e. everything except automatic updates) is protected by SSL/TLS. The certificate can be checked by connecting to e.g. https://go.dybuster.com/ and displaying the certificate information as in Figure 3.
  • The locally stored credentials for offline usage are protected with salted MD5 hashes.
  • The locally stored progress information is protected by the user's password and stored in binary format.
Figure 3: SSL certificate of go.dybuster.com

Back-ups and Data Persistence of User Data

All back-ups by Dybuster of user data is encrypted both in transit as well as on disc. The user data is protected against getting lost by the following backup-system:

  • The usage data stored on the "Progress" and "Learning Plan Storage" server (see Figure 1), is continuously backed up to a second server in the data center.
  • The "User Management" and "Licensing" data (user names, passwords, institution-user-relationships, etc) is mirrored once a day to a second server.
  • From that second server at the data center, the data is backed up nightly to a server off-site. These off-site locations are:
    • For US customers: a second data center in the US.
    • For Canadian customers: a second data center in Canada.
    • For European and other customers: Server at Dybuster's office in Zurich.

In general, Dybuster believes that the technical provisions it takes to protect the data are sensible and state of the art for software like the Dybuster programs. Of course, these provisions do not prevent entities, which could possibly break SSL encryption, from accessing the data. Also, two way authentications like for online banking software would offer slightly more protection. But it would make handling for schools almost impossible.

Regulations

Governing Law

Dybuster is a Swiss company governed by Swiss laws. It adheres to the Swiss law of data protection, the "Bundesgesetz über den Datenschutz". It also adheres to the "General Data Protection Regulation" of the European Union (from 25th May 2018). These regulations e.g. include:

  • The right of each user to obtain insight into all personal data Dybuster stored about the user.
  • The right of each user to have his/her personal data completely deleted ("Right to erasure").
  • The right of each user to have his/her personal data corrected ("Right to rectification").

Additionally, Dybuster adheres to local data protection and data security laws of its customers such as FERPA, SOPIPA and COPPA (where applicable) for the U.S.

If you are in doubt if you are allowed to use Dybuster applications under your local regulations, please contact Dybuster or your local distribution partner for Dybuster products to enquire about your local regulations and how they apply to Dybuster.

Data Privacy Officer

The CEO of Dybuster is responsible for all public relations of Dybuster. In this role, the CEO is also Dybuster Data Privacy and Security Officer.

The Data Privacy Officer i.e. the CEO of Dybuster in the role as Data Privacy Officer can be reached at dpo@dybuster.com.

Zurich, 12/14/2018