GDPR

GDPR Compliance

OVERVIEW

Blindside Networks Inc. (“We”) provide hosting for BigBlueButton to education and commercial organizations for using BigBlueButton.  Our goal is to enable remote students to have a high quality online learning experience.

We take the privacy of your personal information very seriously.  

Together with our Privacy Policy (available at https://blindsidenetworks.com/privacy), this document will help you better understand the personal information we collect, why we collect it, how we use it, and how we protect it.  In full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which comes into effect May 25, 2018, this document also explains the various rights of the data subject, including the right of access and the right to erasure (aka “the right to be forgotten”).  In full compliance with the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 (“FERPA”), this document also confirms our compliance with, and support of, FERPA.

Hosting for BigBlueButton

BigBlueButton is a web conferencing system designed for online learning.  It enables students and instructors to collaborate in real-time. This collaboration includes sharing one or more of audio, video, slides, chat, screen, emojis, and responding to polls.  

The collaboration may also be recorded.

Grant of Consent

The majority of users access BigBlueButton through a learning management system (LMS) such as Schoology, Canvas, Sakai, Moodle, Atutor, etc.  We collectively refer to these systems as a “Front End”.

The LMS is hosted by an organization (such as a educational institution or commercial company) you may be enrolled in the organization as student or work there as a employee. Consistent with GDPR, we refer to these organizations (aka our customers) as the “Data Controller”.  You may access BigBlueButton via a tool or plugin embedded in the Front End; in this regard, we are a “Data Processor”.

Each Front End has its own Terms of Use which you either accepted directly (when you initially logged into the LMS) or were asked to accept by us, on behalf of the LMS.  In accordance with these terms of use and consistent with our Privacy Policy, you gave the LMS and us permission to collect, use and share your personal information.

Our Collection and Use of Your Personal Information

We capture personal information when you login to BigBlueButton and when you share information during a live session (such as an online class).  Furthermore, if the session is recorded, then personal information may also appear in the subsequent recording (such as your chat messages).

What happens when you login?

When you login to BigBlueButton through a Front End, we receive (at minimum) two pieces of information: your full name and an ID (this is a unique identifier internal to the Front End).

We also receive additional information during the join process, which may include:

  • a URL back to the Front End (this enables BigBlueButton to return you back to the Front End after you log out);
  • the associated course ID/name (this is usually embedded in the Logout URL); and
  • your IP address, browser, and OS in our web server logs.  

We use this additional data to provide you support (such as troubleshooting a support ticket to see if your browser is out-of-date) and for creating usage reports that we make available to the Data Controller.

What data do we receive when you participate in a meeting?

During a live meeting, you may exchange audio, video, slides, desktop, chat, and emoji icons, responses to polls, closed captioning, and whiteboard annotations, and other content during a session.  We collectively refer to this content as “Meeting Data”.

The BigBlueButton client sends/receives Meeting Data to the server via encrypted channels (RTMPS, HTTPS, and DTLS).

Where do we store Meeting Data?

Not all Meeting Data is stored.  Storage of the Meeting Data depends on whether (a) the meeting was recorded, and whether (b) the moderator (usually the instructor) marked any segments of the meeting for later processing into a recording for playback.

Generally speaking, there are three cases for the storage of Meeting Data:

Case 1:  For an unrecorded meeting, we do not store any Meeting Data on the BigBlueButton server after the meeting finishes.

Case 2:  For a recorded meeting without Start/Stop record marks, we store the Meeting Data on the BigBlueButton server for 14 days, after which it is automatically deleted.  

Case 3:  For a recorded meeting with Start/Stop record marks, we still store the Meeting Data on the BigBlueButton server for 14 days (after which it is automatically deleted); however, the BigBlueButton server also compresses the Meeting Data (“Compressed Meeting Data”) and uploads it to our hosting infrastructure where it is processed into a recording that you can later view by clicking a URL (a “Recording Link”) in the Front End.

The actual recording may include more than one format, such as a video file or an HTML5 page that summarizes user statistics for the session (“Meeting Statistics”).

To help you better understand these storage options, here is a sample recording and sample Meeting Statistics.  The Meeting Statistics gives the instructor the ability to gauge and measure of participation in the class.  This data includes:

  • User Name
  • isModerator (true/false)
  • Number of times chatted
  • Number of times talked
  • Number of times shared emoji
  • Number of times raised hand
  • Response to polls
  • Total time talking
  • Total time in session
  • Join date/time
  • Leave date/time

 

In Cases 2 and 3, depending on the location of the customer, we store the Meeting Data in Amazon S3 in one of four regions: Canada, US, Europe (Ireland), and Australia.  For example, the storage of Meeting Data for a customer based in the European Union is the Amazon S3 data center in Ireland. For greater clarity, customers in the EU always have their Meeting Data hosted on servers located in the EU.  

For how long do we store Meeting Data?

For some customers, we automatically delete their Meeting Data (and any associated recordings) within 7 or 14 days.  For others, we delete their Meeting Data only upon request by the instructor (using a “delete recording” button in the Front End).

If a Data Controller ceases to be a customer, we delete all recordings and data associated with the customer within 90 days of the end of their contract with us.

How do we restrict access to Meeting Data?

For access to live meeting sessions, users can only login via the Front End or by invitation from a moderator (a guest link).

For access to a Recording Link, users can login via the Front End to access the link.

Generally speaking, Recording Links are static and can be shared with others; however, on request by some of our customers, we further restrict access to Recording Links by generating a new and temporal Recording Link each time the user views the list of recordings (“Restricted Recording Links”).  

For example, if you click the following Restricted Recording Link, you’ll get a 404 error.

While we can’t prevent a user from recording their screen while watching a recording, with Restricted Recording Links, we’ve made it more difficult for users to casually share a recording that might include your personal information.

What information do we retain for support purposes and for how long?

As described above, we capture user metrics and logs during a session to better enable us to provide customer support.  BigBlueButton servers record metrics for each meeting and for each user in a meeting (“Support Data”).

We use this Support Data to resolve support issues such as:

  • Diagnosing login issues in a meeting
  • Diagnosing audio quality issues for users in a meeting
  • Locating and recovering an accidentally deleted recording (if it was accidentally deleted within 14 days of the origin of the meeting).

 

This Support Data includes:

  • Full Name
  • Browser
  • Operating system
  • Start time
  • Length of time in session
  • Three octets of the user’s IP address (e.g. 192.168.0.)
  • % of audio packets dropped
  • # of times reconnected
  • Connectivity logs generated by the BigBlueButton client (these logs specify when network connections are created/dropped to by the BigBlueButton client to the BigBlueButton server).
  • Any feedback provided by the user on their experience using BigBlueButton when the session ends

 

We store all Support Data on servers in Canada.

If a Data Controller ceases to be a customer, we delete all Support Data associated with the customer within 90 days of the end of their contract with us.

How Do We Secure Our Infrastructure?

We adhere to a number of industry best practices for securing our infrastructure, which include:

  • We restrict access to all servers containing personal information to only a few employees in the company.  
  • We disable password access to all servers (access is only through revocable keys).
  • All servers are regularly updated with the latest security patches.
  • All employees are trained on our privacy policy.
  • We annually contract for penetration testing performed by a 3rd party on our infrastructure.

 

Who Is the Data Protection Officer (DPO) for Blindside Networks?

The DPO is Gail Chalmin.  You can contact her at privacy@blindsidenetworks.com.

How Can You Request Access to Your Personal Information?

We recommend you first contact the Data Controller (the organization providing the Front End for accessing BigBlueButton).  

You may request a full report on the personal information we hold for you by sending an e-mail to privacy@blindsidenetworks.com.

In the subject line, please indicate “Request for Personal Information”.  In your email, please specify:

  1. Your full Name
  2. Whether you are an individual or a representative of a Data Controller
  3. If you are an individual, the name of your Data Controller (the organization providing you access to BigBlueButton)

 

Please note that will will need to share your request with the Data Controller to verify and action it.  We will endeavor to fulfill all access requests within 30 days of receipt.

How Can You Request Deletion of Your Personal Information?

We recommend you first contact the Data Controller (the organization providing the Front End for accessing BigBlueButton).  

You may request deletion of personal information by sending an e-mail to privacy@blindsidenetworks.com.

Use the subject “Request for Deletion”

In the subject line, please indicate “Request for Deletion”.  In your email, please specify:

  1. Your full Name
  2. Whether you are an individual or a representative of a Data Controller
  3. If you are an individual, the name of your Data Controller (the organization providing you access to BigBlueButton)

 

Please note that will will need to share your request with the Data Controller to verify and action it.  We will endeavor to fulfill all access requests within 30 days of receipt.

How Can You Contact Us?

If you have any questions about this document or our support for GDPR or about our Privacy Policy, please contact us directly at privacy@blindsidenetworks.com.

Subprocessors for GDPR

Digital Ocean, OVH, and Amazon Web Services (Hosting), ZenSell (CRM), Google Apps (e-mails).

Last Updated: June 13, 2022