Bongo’s Compliance Standards, Regulations & Certifications

SOC2 Type 1

Systems and Organization Controls 2 (SOC 2) is an audit process that evaluates a company’s ability to securely manage the data collected and used during business operations. By undergoing a SOC 2 audit, Bongo Learn Inc. demonstrates that it is able to meet the security criteria that prospective customers need to see in order to confidently share their data (and often their customers’ data) with Bongo. SOC 2 is developed and administered by the American Institute of Certified Public Accountants (AICPA). 

SOC 2 is a report based on AICPA’s existing Trust Services principles and criteria. The purpose of the SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality or privacy.

Bongo’s SOC2 Type 1 report can be requested under a non-disclosure process. Please contact [email protected] to make such a request.

GDPR

For individuals based in the European Union (EU), European Economic Area (EEA) and Switzerland. Bongo is the controller of your personal data collected in the following instances:

• When you visit our Website: www.bongolearn.com
• When we process your personal data for sales and marketing purposes

Bongo is a processor of all personal data processed on the Application, on behalf of our Clients. We only process the personal data under their direction. Please contact your employer or the organization that granted you access to the Application for details on their privacy practices.

We only process personal data if we have a lawful basis for doing so. The lawful bases applicable to our processing as controller are:

• Consent – We will ask for your express and informed consent every time we collect your personal data on this legal basis.
• Contractual basis – We process the personal data as necessary to fulfill our contractual terms with you or our Clients.
• Legitimate interest – We process the names, contact details, job titles, companies of our existing and prospective clients for our marketing purposes, including market research and sales leads generation. 

You have the following rights under the GDPR:

• Be informed about the collection and use of your personal data
• Access your personal data
• Correct errors in your personal data
• Erase your personal data
• Object to the processing of your personal data.

• This right is also available to individuals whose personal data is processed by us for direct marketing purposes. If you object to the processing of your personal data for direct marketing purposes, we shall stop processing within 30 days of receipt of your request. 

• Export your personal data
• Restrict our processing of your personal data for specific reasons, including any of the purposes supported by the legitimate interest legal bases. (see the section above). 

Bongo Learn Inc. and our service providers comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework principles as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information from the European Union and Switzerland to the United States.

If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

The Federal Trade Commission has jurisdiction over our compliance with the Privacy Shield. We may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We are responsible for any of your Personal Information that is shared under the onward transfer principle with third parties for external processing on our behalf, as described in the “use of Personal Information” section.

In compliance with the Privacy Shield Principles Bongo commits to resolve complaints about our collection or use of your Personal Information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at [email protected] or by using the contact information posted in the sections below.

Bongo has further committed to refer unresolved Privacy Shield complaints to PrivacyTrust, an alternative dispute resolution provider located in the United Kingdom. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.privacytrust.com/drs/edupresent for more information or to file a complaint.  The services of PrivacyTrust are provided at no cost to you. To access our PrivacyTrust certificate, please visit https://www.privacytrust.com/cert/481619.html. This is the process for an individual to invoke binding arbitration if they are not satisfied with the response from [email protected].

For more information about the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, or to access our Privacy Shield certification statement, please visit www.privacyshield.gov

CCPA

This section provides additional specific information for consumers based in California as required by the California Consumer Privacy Act of 2018 (“CCPA”).

Collection and Use of Personal Information

In the last 12 months, we have collected the following categories of personal information:

• Identifiers, such as your name, email address, or other similar identifiers.
• California Customer Records (Cal. Civ. Code § 1798.80(e)), such as username and password, company name, business email address, and department.
• Internet/Network Information, such as your browsing history, log and analytics data, information about the device(s) used to access the Services and information regarding your interaction with our websites or Services and other usage data.
• Geolocation Data, such as information about your location (at country and city level) collected from your IP address.
• Sensory Information, the content, audio and video recordings created using the Bongo application.
• Profession/Employment Information that you include in your CV, cover letter and send to us when applying for a position.
• Other Personal Information, such as personal information you provide to us in relation to a survey, comment, question, request, article download or inquiry and any other information you upload to our Application.

We collect personal information directly from you, from your browser or device when you visit our websites, from third parties that you permit to share your information or from third parties that share public information about you and as stated above.

See the section above, “How we use personal information,” to understand how we use the personal information collected from California consumers.

Recipients of Personal Information

We share personal information with third parties for business purposes. The categories of third parties to whom we disclose your personal information may include: (i) our service providers and advisors, (ii) marketing and strategic partners; and (iii) analytics providers. 

Please see the “How We Share Information” section of the Privacy Policy above for more information.

California Privacy Rights

As a California resident, you may be able to exercise the following rights in relation to the personal information about you that we have collected (subject to certain limitations at law):

• The Right to Know any or all of the following information relating to your personal information we have collected and disclosed in the last 12 months, upon verification of your identity;
• The specific pieces of personal information we have collected about you;
• The categories of personal information we have collected about you;
• The categories of sources of the personal information;
• The categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
• The categories of personal information we have sold and the categories of third parties to whom the information was sold; and
• The business or commercial purposes for collecting or selling the personal information.
• The Right to Request Deletion of personal information we have collected from you, subject to certain exceptions.
• The Right to Opt-Out of Personal Information sales to third parties now or in the future. However, we do not sell your personal information.

You also have the right to be free of discrimination for exercising these rights. 

Please note that if the exercise of these rights limits our ability to process personal information (such as a deletion request), we may no longer be able to provide you with our products and services or engage with you in the same manner.

How to Exercise Your California Consumer Rights

To exercise your right to know and/or your right to deletion, please submit a request by contacting us at [email protected].

We will need to verify your identity before processing your request. 

In order to verify your identity, we will generally require sufficient information from you so that we can match it to the information we maintain about you in our systems. Sometimes we may need additional personal information from you to be able to identify you. We will notify you. 

We may decline a request to exercise the right to know and/or right to deletion, particularly where we are unable to verify your identity or locate your information in our systems or as permitted by law.

You may choose to designate an authorized agent to make a request under the CCPA on your behalf. No information will be disclosed until the authorized agent’s authority has been reviewed and verified. Once a request has been submitted by an authorized agent, we may require additional information (i.e. written authorization from you) to confirm the authorized agent’s authority. 

If you are an employee/former employee of a Bongo Client that uses our application and services, please direct your requests and/or questions directly to your employer/former employer.

If you are a third party (auditor, business associate etc.), who was given access to the Bongo application by a Bongo Client, please direct your requests and/or questions directly to the Bongo Client that gave you access.

HIPAA

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. 

Specific definitions: 

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall refer to Bongo. 

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean {Company or Institution}. 

(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 

Obligations and Activities of Bongo 

Bongo agrees to: 

(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law; 

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronically protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement; 

(c) Report to the covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware; 

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Bongo agree to the same restrictions, conditions, and requirements that apply to Bongo with respect to such information; 

(e) Make available protected health information in a designated record set to the Company or Institution as necessary to satisfy the covered entity’s obligations under 45 CFR 164.524; 

(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy the covered entity’s obligations under 45 CFR 164.526; 

(g) Maintain and make available the information required to provide an accounting of disclosures to the Company or Institution as necessary to satisfy the covered entity’s obligations under 45 CFR 164.528; 

(h) To the extent Bongo is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and 

Permitted Uses and Disclosures by Business Associate 

(a) Bongo may only use or disclose protected health information in reference to an underlying service agreement, such as is “necessary to perform the services set forth in Service Agreement.” and as agreed upon with the Company or Institution. 

(b) Bongo may use or disclose protected health information as required by law. 

(c) Bongo agrees to make uses and disclosures and requests for protected health information when consistent with covered entity’s minimum necessary policies and procedures. 

(d) Bongo may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Company or Institution except for the specific uses and disclosures set forth below. 

(e) Bongo may use protected health information for the proper management and administration of Bongo or to carry out the legal responsibilities of Bongo. 

(f) Bongo may provide data aggregation services relating to the health care operation education of the Company or Institution.

FERPA

FERPA, the Family Educational Rights and Privacy Act of 1974 or the Buckley Amendment, is a federal law that affords students certain rights with respect to their education records. An education record contains information directly related to a student and are maintained by an educational agency or institution or by a party acting for the agency or institution.

Combinations of student names, courses, and video recordings would be considered an academic record.

Bongo acts as a third party and maintains compliance with FERPA on behalf of the institution.

Bongo never holds unencrypted academic records. All data that enters our system has been encrypted by the learning management system (LMS) and can only be unlocked by authorized users within the LMS. Bongo utilizes the LMS to gain information about the user’s role. This restricts information from being shared with users who do not fall under the “School Official or administator” role. The entire process is transparent to the end-user, but prevents Bongo and unauthorized individuals from accessing student data. Bongo will never expose any personally identifiable information (PII) and institutions can feel confident in extending their FERPA liability to Bongo.