Return To Venice, LLC Data Protection & Privacy Plan
Last Updated: May 6th, 2025
Description of the purpose(s) for which Return To Venice, LLC will receive/access PII
Return to Venice, LLC (RTV) has created an immersive, social studies digital program entitled “In the Footsteps of History” for K-12 standards-aligned educational purposes. RTVs dashboard integrates with multiple other known platforms for SSO and rostering. Student first name, last name and email address and teacher first name, last name, and email address may, subject to either LMS integration processes or manual roster uploads, be used for the purposes of logging into the RTV dashboard and licensing students so that all proprietary games, activities and pedagogy relating to our programming may be accessed by those students and teachers. Student identification is also associated with any student work assignment submissions to allow Teachers to easily associate the work with the student. RTV does not have access to any user-created passwords used to access our dashboard.
Subcontractor Written Agreement Requirement
RTV does not currently utilize subcontractors. In the event that it shall in the future, a written contract shall be issued requiring the subcontractors to adhere to, at a minimum, materially similar data protection obligations imposed on RTV by state and federal laws and regulations, and the Contract.
Data Transition and Secure Destruction
Upon expiration or termination of the Contract, RTV shall securely delete and destroy all data. Upon request by the Educational Agency (EA) RTV shall securely transfer data to EA, or a successor contractor at the EA’s option and written discretion, in a format agreed to by the parties.
Challenges to Data Accuracy
Parents, teachers, or principals who seek to challenge the accuracy of PII will do so by contacting the EA. If a correction to data is deemed necessary, the EA will notify RTV. RTV agrees to facilitate such corrections within 21 days of receiving the EA’s written request.
Secure Storage and Data Security
PII will be stored and protected using both RTV-owned and hosted solutions and third party cloud or infrastructure owned and hosted solutions. by third parties. Third parties currently include Cloud66, Inc., DigitalOcean, LLC and Ednition (1Edtech partner).
Data security and privacy risk mitigation processes
RTVs proprietary dashboard is owned and controlled by RTV and hosted on Cloud servers (Cloud66 and DigitalOcean). All authorization for student access is conducted internally through RTVs proprietary in-house controlled software. For the sake of clarity, the hosting provider cannot access the servers or any of the data on those servers that they provide to RTV.
Encryption
Data will be encrypted while in motion and at rest.
Data Security Implementation
RTV employs a continuous compliance program including: regular security assessments, ongoing policy updates, consistent monitoring, periodic compliance audits, and enforcement of all data protection controls throughout the contract lifecycle.
Safeguards & Practices
RTV employs a continuous compliance program including: regular security assessments, ongoing policy updates, consistent monitoring, periodic compliance audits, and enforcement of all data protection controls throughout the contract lifecycle.
Training Program
All employees and contractors are provided with privacy training documents published by the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC), including Protecting Student Privacy While Using Online Educational Services and Best Practices for Data Destruction.
Written agreements include confidentiality terms, data handling requirements, security obligations, incident reporting protocols, and compliance enforcement procedures. All agreements are legally reviewed and tracked.
Incident Management
RTVs incident response plan includes: breach detection, documented response procedures, investigation protocols, and post-incident analysis processes.
Data Transition
Data transition follows a documented protocol: inventory verification, secure transfer in agreed format, transfer confirmation, and transition completion certification.
Data Destruction
Secure destruction process includes: data identification, secure deletion using industry standards, and formal certification of destruction per US Department of Education’s PTAC Best Practices for Data Destruction.
Policy Alignment
RTVs policies align with EA requirements through regular policy review, gap analysis, compliance mapping, and policy update processes.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Alignment
IDENTIFY (ID)
Asset Management (ID.AM): RTVs system maintains comprehensive asset inventory including: student data catalogs, system component tracking, automated device management, and risk-based classification of all assets.
Business Environment (ID.BE): RTV aligns its educational technology services with institutional goals through role-based access management and priority-based security controls.
Governance (ID.GV): RTVs governance framework includes FERPA compliance controls, documented security policies, and regulatory monitoring systems.
Risk Assessment (ID.RA): Regular risk assessments evaluate threats to student data privacy, system vulnerabilities, and potential impacts on educational operations.
Risk Management Strategy (ID.RM): Third-party risk assessment program evaluates all service providers and technology partners
PROTECT (PR)
Identity Management, Authentication and Access Control (PR.AC): Role-based access control implementation. Automated session management. Audit logging of all access attempts. Regular access reviews.
Awareness and Training (PR.AT): Security awareness and privacy training provided (U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) including Protecting Student Privacy While Using Online Educational Services). Policy updates and notifications. Security best practices documentation. Incident response training.
Data Security (PR.DS): Encryption at rest and in transit. Data classification controls. Secure backup systems. Data integrity monitoring. Access logging and auditing.
Information Protection Processes and Procedures (PR.IP): Documented security policies. Regular policy reviews. Change management processes. Security procedure updates. Cross-department coordination.
Maintenance (PR.MA): Scheduled maintenance windows. Patch management program. System update procedures. Maintenance logging. Remote access controls.
Protective Technology (PR.PT): Security monitoring tools. Intrusion detection systems. Network security controls. Endpoint protection. Security tool maintenance.
DETECT (DE)
Security Continuous Monitoring (DE.CM): Daily automated scans check for unauthorized access attempts and system vulnerabilities. Monthly reports track system security status and identify potential issues.
Detection Processes (DE.DP): RTV uses standard monitoring software to detect problems, and regularly test that detection tools are working properly. Staff reviews alerts during business hours.
RESPOND (RS)
Response Planning (RS.RP): RTV utilizes a basic incident response checklist to inform team members what to do when security issues are found. This includes whom to contact and what immediate and subsequent actions to take.
Communications (RS.CO): RTV maintains an updated contact list for security incidents and for informing all necessary parties, including school administrators and affected users.
Analysis (RS.AN): When an incident occurs, system logs are reviewed to understand what occurred and to document findings in a logged incident report.
Mitigation (RS.MI): Compromised accounts will be rapidly disabled and suspicious IP addresses blocked. Standard procedures all followed in containing, fixing, and preventing future security issues.
Improvements (RS.IM): Team meetings post-incident will be held to discuss what happened and update procedures if needed. Changes are documented and shared with relevant staff.
RECOVER (RC)
Recovery Planning (RC.RP): Recovery processes include detailed incident response protocols, regular testing of disaster recovery plans, and defined recovery time objectives (RTOs)
Improvements (RC.IM): Post-incident reviews are conducted to identify gaps and update recovery plans and staff training programs.
Communications (RC.CO): Restoration activities involve clear communication protocols with internal stakeholders, external service providers, and regulatory agencies, supported by pre-defined escalation procedures
