1. Speech Blubs Pro User Data Storage
The Speech Blubs Pro App User Data is protected using the methods described below in Safeguards and is stored in secure facilities with firewall protection. Blub Blub Inc. engages its subprocessors to store and process Speech Blubs Pro User Data. Blub Blub Inc. carries out adequate due diligence to ensure that any subprocessor or subcontractor can meet its obligations to Speech Blubs Pro under the law. Blub Blub Inc. will remain responsible for its compliance with its data protection obligations and for any acts or omissions of a subprocessor or subcontractor that cause Blub Blub Inc. to breach any of its data privacy and security obligations to you.
Concerning each subprocessor receiving User Data from Blub Blub Inc., Blub Blub Inc. will enter into a written agreement under which the subprocessor agrees it has no independent right of access to, use, or disclosure of the Speech Blubs Pro User Data. Blub Blub Inc. will ensure the subprocessor agrees to apply security measures consistent with or more significant than those imposed on Blub Blub Inc. by law or contract.
On occasion, Blub Blub Inc. may engage subcontractors to perform duties on our behalf regarding Speech Blubs Pro User Data. With respect to each subcontractor who has access to Speech Blubs Pro User Data from Blub Blub Inc., Blub Blub Inc. will enter into a written agreement under which the subcontractor must participate in annual privacy and security training, be subject to background checks if the subcontractor has access to Student Data, and use security measures consistent with those imposed on Blub Blub Inc.
2. Safeguards
2.1 Privacy and Security by Design
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity of a data breach, Blub Blub Inc. implements appropriate technical and organizational measures to ensure a level of security appropriate to the nature of the data at risk and the risk of harm posed by exposure of the User Data to unauthorized persons.
2.2 NIST Cybersecurity Framework
Blub Blub Inc. has adopted the NIST Cybersecurity Framework as it is updated from time to time as its primary guidepost for selecting and implementing technologies, safeguards, and privacy practices. Blub Blub Inc. reserves the right to refer to and implement additional protection models where appropriate. Security practices implemented include but are not limited to (a) all communication being secured via encrypted TLS protocols, (b) storing all passwords as hashed strings, (c) not persisting User Data on devices, (d) continuous monitoring for activities posing a risk of breach and for actions that require accountability, (e) enforcing minimum password complexity, and (f) risk assessments of our practices and those of our subcontractors and subprocessors conducted on an ongoing basis and at least annually.
2.3 Data Minimization
Blub Blub Inc. practices data minimization. When working with an OAuth or LMS provider, if the service sends us data elements we did not explicitly request, our policy is to ignore and delete the additional data elements.
2.4 Need-to-know Access, Confidentiality Promises, and Background Checks
Blub Blub Inc. employees, agents, and subcontractors are provided access to User Data on a need-to-know basis. Those with access to Student or Therapist data are subject to confidentiality obligations consistent with the promises and commitments in our Privacy Notice.
2.5 Encryption
Data is encrypted in transit and at rest using technologies and methodologies specified and permitted by the Secretary of the United States Department of Health and Human Services in guidance under Section 13402(H)(2) of Public Law 111-5. Secure transport layers are used to prevent unauthorized access. Our User Data and application access are TLS 1.2 for encryption in transit and AES256-CBC for encryption at rest.
2.6 Authenticated Access
User Data is only accessible through authenticated accounts. In the case where passwords are used, they are hashed and salted. We provide tools for you to reset passwords.
2.7 Portable Devices
Blub Blub Inc. uses portable computers and devices to access its servers. Portable computers and devices are secured with passcodes and passwords and are subject to remote erasure in the case of loss. No Student Data is stored on portable devices owned by Blub Blub Inc.
2.8 Backups
Blub Blub Inc. performs continuous data backups of User Data for system failure and disaster recovery purposes. Backups are encrypted. Backups are not used or accessed to recover deleted data. Backups are stored only for as long as necessary to serve their recovery purpose.
3. Security Incidents and Data Breaches
3.1 Security Investigations and Data Breaches
We investigate all security incidents. A security incident consists of unauthorized access to personally identifiable user data. We maintain a security response plan and a security incident tracking system. Not all security incidents are data breaches.
A "Data Breach" involves a release of personally identifiable user data that:
compromises the confidentiality or integrity of the personally identifiable user data and, in doing so,
is reasonably likely to cause harm to the data subjects impacted, and
the harm is likely substantial (financial information, account credentials, medical information).
A security incident with unauthorized access to encrypted user data is not a breach if the encryption key is not accessed or acquired. A security incident in which another person at the same entity with a similar confidentiality obligation to the data subject as the account holder accesses user data is also not a breach.
3.2 Notices for Data Breaches
In the event of a Data Breach involving personally identifiable Speech Blubs Pro User Data, we will notify the account holders of records. Speech Blubs Pro does not collect or store the contact information of parents or legal guardians. If we have a signed privacy agreement with you, the security incident terms of that agreement supersede any conflicting terms in Section 3.
If personal information is involved, we will provide notice as soon as reasonably possible (within 7 days but usually sooner). Notices will include in plain language: (a) what happened, (b) what personally identifiable Speech Blubs Pro User Data was involved, (c) any information we have about when the incident occurred, (d) what measures we are taking, (e) what you can do, and, if applicable, (f) how to obtain more information about the investigation and/or resolution.
3.3 Notices for Security Incidents
At our discretion, we inform affected parties of security incidents that do not arise from a data breach for informational and security purposes. These notices will contain the relevant information available to us and are directed to the affected parties as appropriate to their rights to be informed of the incident. For example, we may notify targets of a phishing attack launched against them. Such notices will include available information and how to contact our security team for further details.
3.4 Notice and Law Enforcement and Regulators
We will provide notices of data breaches to the appropriate regulators where required by law, and we may elect to provide such notice, at our option and in our sole discretion, where not required by law, unless we are under a lawful contract to the contrary. We will comply with law enforcement instructions to delay issuing notice where necessary to further an investigation.
3.5 Contact Information
Vulnerabilities, incidents, and data breaches can be reported to security@blubblub.org.
BLUB BLUB, INC., LAST UPDATE JANUARY 2025
