This document provides an overview of the controls that we have in place to ensure that personal information is processed appropriately.
As the world around us continues to evolve and shift, Edge Factor’s commitment to the users of our platform remains steadfast. We are committed to providing an excellent and safe user experience for the millions of people who access our platform.
This document provides an overview of the controls that we have in place to ensure that personal information is processed appropriately. It also allows us to demonstrate to ourselves, our clients, and to privacy commissioners that we have the capacity to comply and that we comply with our legal obligations. This document focuses on personal data as defined in the EU General Data Protection Regulation:
Personal data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
We use this definition over the PIPEDA’s definition as increasingly sophisticated methods can be used to piece together seemingly innocuous data points to reveal a person’s identity.
Please take into consideration that while we have worked on this with experts in the privacy field, we are not lawyers. This is why the information in this document should not be construed as legal advice. However, we do want you to know that we fully understand the regulations and are committed to helping you achieve compliance.
Last modified on August 26, 2024.
The Edge Factor site delivers story-driven media and modular learning objects to guide students and job-seekers on their career journey. Our platform allows educators to guide and speak into their students' career journey from start to finish. It also allows companies and community leaders to showcase career and training opportunities to local users in their community.
As a company we are subject to Canadian privacy law and PIPEDA. Since we manage the personally identifiable information (“PII” or “Personal Data”) of millions of users across Canada and the United States we are required to abide by several other privacy laws and acts. We are committed to satisfying all applicable legal requirements, including PIPEDA, COPPA, and FERPA. We also recognize that while we don’t have any European users they may visit our platform and we may collect information on them in the form of a cookie or through an email. Consequently, we are committed to achieving compliance with the GDPR.
Our Privacy Policy governs the use of the Edge Factor site and services. For the usage of the site and services, Edge Factor collects personal data as a Processor.
The personal data processed by Edge Factor typically belongs to one of three categories of data subjects:
For Students, the personal data can consist of: general identification, authentication and authorization data (i.e. login method you are using), configuration of your user profile (i.e. what grade and classes you are in), personal interests, and any other answers to learning objects that you have interacted with on the service. This is highly configurable.
For Educators, the personal data typically consists of: general identification, contact information, authentication and authorization data, configuration of the user profile, professional interests, and comments or assessments on a student's classwork for a certain class.
For Community Members, the personal data typically consists of: general identification, contact information, authentication and authorization data, configuration of the user profile, and professional interests.
It is an organization's responsibility to correctly configure the platform through the Privacy Settings page to choose what information they allow Edge Factor to collect. It is also their exclusive responsibility to ensure that this customisation is lawful with regards to the relevant legislation.
Personal data is processed solely for the purpose of providing, managing and further developing the software on your behalf, and for supporting you in the use of the software. This is a detailed list of data processing activities for providing the services as agreed under the Terms of Use.
Through our platform, you have access to the personal data collected on your behalf.
Authorized staff of Edge Factor also have access to your data for support, development and debugging purposes, on a strict need-to-know basis. All Edge Factor staff are bound to confidentiality using a nondisclosure agreement that is part of their employment contract.
We also have an internal code of conduct for dealing with customer data that is widely communicated throughout the company, and data privacy and confidentiality are key topics in our security and privacy awareness program.
In the sense of the EU General Data Protection Regulation, Edge Factor will act as a Processor of personal data on behalf of an organization, the data Controller. Together we ensure that your users’ personal data is protected. To define our mutual rights and obligations, you must enter into a Data Processing Agreement (DPA) with us. Edge Factor has developed a standard DPA. It accurately describes the privacy and data protection characteristics of the Edge Factor platform, including the confidentiality requirements, the use of sub-processors, data breach notification details, the right to audit, transfer of personal data, data subject requests, law enforcement requests, indemnity, and data retention, return and destruction. It also includes a description of the roles and responsibilities, contact details for security and privacy communication, the categories of personal data processed, categories of data subjects, the purposes of personal data processing and the technical and organizational security measures taken by Edge Factor.
Since our service offering is standardized for all customers, we require our customers who provide personal data on behalf of people who want to use the platform to use our standard agreement, to ensure that all relevant matters have been accurately described.
Considering the very competitive pricing of our product as well as the large number of organizations we are supporting, we unfortunately do not have the means to evaluate alternative Data Processing Agreements proposed by our customers. Our own DPA has been carefully drafted by an expert and fully complies with the GDPR.
As a data Controller you are responsible for deciding how long you want us to keep personal data. You can enforce this by emailing privacy@edgefactor.com and requesting we remove personal data.
As the Processor we only keep personal data for as long as someone has an active Edge Factor user account. If a user is inactive on the platform for a period of 24 months we will notify the user that their personal data will soon be deleted. If the user does not login within 30 days of receiving this email we will erase, destroy, and render unreadable, all user personally identifiable information in its entirety in a manner that prevents its physical reconstruction through the use of commonly available file restoration utilities.
We may maintain anonymized or aggregated data, including usage data, for analytics purposes.
Our Services are delivered as a standardized platform in the form of Software as a Service (SaaS). The following table provides an overview of the responsibilities of both parties involved:
As a Processor we make use of two sub-processors in order to provide the service: Microsoft Azure (Azure) and HubSpot. All Edge Factor systems are hosted by Microsoft Azure, a company located at 1 Microsoft Way, Redmond, WA, USA. Edge Factor has entered into a Data Processing Agreement with Azure. Microsoft Azure complies with the PIPEDA and with the GDPR. Data from Canadian users will be stored in an Azure datacenter in Canada and data from American users will be stored in an Azure datacenter in the United States of America, so no specific legal mechanism is required for this transfer.
Emails to users are sent through HubSpot, Inc., a company located at 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. Edge Factor has entered into a Data Processing Agreement with HubSpot, which complies with the EU-U.S. Privacy Shield and therefore provides an adequate level of protection for personal data.
Although unlikely, Edge Factor may choose to employ other sub-processors to process personal data. We will ensure that all sub-processors provide an adequate level of protection and that all legal requirements for such a relationship are met, by entering into a Data Processing Agreement and, where applicable, verifying registration with the EU-U.S. Privacy Shield or any other approved transfer mechanism. If we choose to employ another sub-processor, we will inform you, after which you will have 30 days to object to the use of this new sub-processor.
Edge Factor endeavors to develop its services using the Privacy by Design and Privacy by Default philosophies. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default, requiring you as a customer to explicitly enable features that collect more information. Our default settings reflect this philosophy, and our development team is committed to continuously implement the principles of the General Data Protection Regulation (GDPR) in their efforts to advance our software even further.
Edge Factor takes adequate technical and organizational measures to protect personal data against loss or unlawful processing. For more information about Edge Factor’s security, see our Information Security Policy.
Personal Data is stored by default in the country of origin. This means that if your organization is located in Canada your user Personal Data will be stored on servers in Canada.
Data from Canadian users will be stored and processed in Canada. Data from users in the United States will be stored and processed in the United States. In the future, we may choose to add additional locations within the European Union.
Upon termination of the contract, Edge Factor will, on your written request, return all collected (personal) data that you provided in CSV format.
In the event that we become aware of a personal data breach, we will inform affected Edge Factor customers without undue delay, so that you can fulfill your data breach notification requirements. For this purpose, please ensure to provide accurate contact information. Edge Factor has internal policies and procedures to ensure that employees recognise and report possible data leaks to management. These policies and procedures are highlighted during security and privacy awareness training.
Edge Factor will cooperate with all legal requests from competent authorities, provided that cooperation is mandatory. Where legally allowed, we will inform you without undue delay of such requests if you are the Controller of the requested data.
Edge Factor will cooperate with all legal requests from competent Data Protection Authorities, provided that cooperation is mandatory.
Should you have any further questions about the privacy aspects of our services, please contact our Privacy Officer at privacy@edgefactor.com.
.svg)
.svg)
.svg)
