Privacy and Data Security

We understand the importance of data security and respect your privacy. Safeguarding the confidentiality of your information is a top priority, and we encourage you to review this policy to see how we protect your personal and school data. We will never sell or share your personally identifiable information (PII) with third parties for marketing or any other purposes outside the provision of a school’s START program, or for limited, legitimate reasons as outlined in the policy below.

Our services include:

  • START: Sustainability Tracking, Analytics & Roadmap Tool: START is a subscription-based dashboard that schools use to benchmark, plan, document, and collaborate on their sustainability programs. Each school has its own private START account, accessible only to the START Administrators, and those authorized users added by the school. START is hosted on the Maalka platform and managed by the GSA-START and Maalka teams.

  • The Community: The Community is an online network for adult (18+) school sustainability champions (teachers, sustainability coordinators, facilities managers, principals etc.). It includes discussion forums, collaboration groups, private messaging, and an extensive resource library. The Community is hosted on the Mighty Networks platform and managed by the GSA-START Team.

    Below, you'll find detailed information on data privacy and security for each service.

If you have specific preferences or concerns regarding your school’s information, please don't hesitate to contact us at start@greenschoolsalliance.org.

Jump to:

Overview: START Data Privacy and Security

START: Sustainability Tracking, Analytics & Roadmap Tool

Safeguarding the confidentiality of your information is a priority for us. We encourage you to review this policy to better understand how your data is protected, as well as your participation options for sharing your school’s START performance and progress.

1. Summary

We will never sell or share your personally identifiable information (PII) with third parties for marketing or any other purposes outside the provision of a school’s START program, or for limited, legitimate reasons as outlined in the policy below.

You have the right to request that the GSA and Maalka delete any of your personal information that they have collected from you and retained.

Personally Identifiable Information (PII) collected and stored are an individual user’s first name, last name, email address and affiliated school.

  • Student PII collected and stored on the dashboard is used solely for user management purposes. This information will never be shared, sold, or used beyond the agreed-upon services, which include providing access to the START dashboard, the Student Resource Library, and the START Newsletter.

  • The PII of any user added to a school's START account is collected and stored solely for user management purposes. This information will never be shared, sold, or used beyond the agreed-upon services, including providing access to the START dashboard, inviting users to the Community, and sharing the START Newsletter.

2. What information is collected?

To provide access to the START platform and ensure accurate school association, we collect and securely store the following information:

>> For User Logins:

  • Secure logins and user-authentication are ensured through Okta.

  • Personally Identifiable Information (PII) collected and stored are an individual user’s first name, last name, email address and affiliated school.

>> For School Accounts:

  • School name, address, and type.

  • Additional information may be collected and stored if users manually add or upload data to the school's START dashboard.

3. When and how is this information used?

We collect and use your Personal Data only where:

  • We need it to operate and provide you with our products and services, provide customer support and personalized features, and to protect the safety and security of our products and services;

  • It satisfies a legitimate interest of the Green Schools Alliance or Maalka (which is not overridden by your data protection interests), such as for research and development, to provide information to you about our products and services that we believe you and your organization may find useful, and to protect our legal rights and interests;

  • You give us consent to do so for a specific purpose; or

  • We need to comply with a legal obligation.

4. How is this information securely stored?

  • School and START User data is securely hosted on a dedicated server owned by Maalka, the software-developers of START.

  • For detailed information, please refer to the Maalka Privacy Policy.

5. Sharing of School Identity as a START Participant:

  • Your school’s name and address are used to identify your school as a START participant.

  • When your school’s START account is created, your school will automatically be added to the START Schools map/ list, visible on the GSA website (About START > Bottom of the page). It may also be included in outreach and fundraising materials.

  • If you do not want your school to be included in the publicly visible map/ list, contact start@greenschoolsalliance.org.

6. Access to School Data:

  • GSA START administrators require access to school START dashboards in order to administer the platform and troubleshoot technical issues.

  • The GSA START administrators have access to all school data added or uploaded to your START dashboard. However, your school data is treated with the utmost confidentiality and is accessed solely for the purpose of ensuring the smooth functioning and improvement of the START program.

  • There is strict limitation of access to personally identifiable information (PII) by GSA personnel (2 staff members).

  • We adhere to stringent security protocols and ethical standards to safeguard your information, prioritizing the privacy and trust of our participating schools.

  • We strongly advise against uploading or adding student academic records or sensitive personal information to START.

7. Inclusion in Group/Regional Analytics:

Through group-level analysis of benchmarking and building analytics data, START aims to gain valuable insights into the regional, national, and global school sustainability landscapes. For example, we’d like to know, “In Oklahoma, 23% of participating schools have attained Tier 1 for Metric 4: Student Orientation”, or “On average, private schools in California emit 500 million metric tons of CO2 annually” (Note: these exemplars are not based on actual data).  

The benefits of group analytics are vast - from identifying successful models and specific regional challenges, to providing valuable data for researchers, local sustainability initiatives, policymakers, education departments and others.

  • Schools can choose whether they want to be included or excluded from regional or global analytics within START.

  • A school is automatically opted in to group analytics, however your main START users can opt your school out by contacting start@greenschoolsalliance.org, or via the START Dashboard (School Info button > School Settings > School Excluded from Analysis > Yes) 

8. Express Permission for Identification in Case Studies:

  • In the event of considering a particular school for a case study, the GSA will obtain express permission from the school, represented by their Main START User, prior to any publication of a case study that includes the school’s identity.

9. Inclusion in the START Schools Directory:

The START School Directory, hosted in the Community, enables participants to explore other schools' START Performance. This has the benefit of supporting collaboration and sharing of best-practices, as well as creating a spirit of friendly competition between schools.

  • For each school participating in START, the following information is shared in the START Directory: school location, school type, the START Scorecard, and a list-view of the school’s achievement (Tier 1, Tier 2, Tier 3) for each metric.

  • If the school selects full participation in the Directory, the school’s name and Main START Contact will be included.

  • If the school selects anonymous participation, the school will be referred to generically in the Directory (e.g., "School A, Private Co-ed in California"), and the Main START Contact’s details will be excluded.

START: CPPA Compliance (California)

The California Consumer Privacy Act of 2018 (CCPA) requires us to disclose information regarding the categories of personal information that we have collected about California consumers, the categories of sources from which the information was collected, the business or commercial purposes for which the information was collected, and the categories of parties with whom we share it.

START Users have the following rights:

  • Right to Know About Personal Data Collected, Disclosed, or Sold. You have the right to request that we disclose what Personal Data we collect, use, disclose, and sell.

  • Right to Request Deletion of Personal Data. You have the right to request the deletion of your Personal Data collected or maintained by us as a business.

  • Right to Opt-Out of the Sale of Personal Data. You have the right to opt-out of the sale of your Personal Data by us as a business, in the event we sell Personal Data.

  • Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

  • Authorized Agent. You may designate an authorized agent to make a request under the CCPA on your behalf by us with a copy of your power-of-attorney document granting that right.

  • Financial Incentives. We do not provide any financial incentives tied to the collection, sale, or deletion of your Personal Data.

California Notice of Collection and Use:

We or our service providers may use or disclose the Personal Information we collect for one or more of the following business purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to ask a question about our Services, we will use that Personal Information to respond to your inquiry.

  • To provide, support, personalize, and develop our Services.

  • To create, maintain, customize, and secure your member or school account with us.

  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.

  • To personalize your Services experience and to deliver content and product and service offerings relevant to your interests.

  • For testing, research, analysis, and product development, including to develop and improve our Services.

  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

  • As described to you when collecting your Personal Information or as otherwise set forth in the CCPA.

  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of START’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our Members and Hosts is among the assets transferred.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

If you have specific preferences or concerns regarding your school’s information, please don't hesitate to contact us at start@greenschoolsalliance.org.

Categories of Personal Information, Sources, and Third Parties We Share It With:

START: New York State Ed Law 2 Compliance

We are committed to protecting the privacy and security of all personally identifiable information (PII) entrusted to us by schools, students, teachers, and principals. Our platform complies with New York State Education Law 2-d, ensuring the highest standards of data protection and security.

Personally Identifiable Information (PII) collected and stored are an individual user’s first name, last name, email address and affiliated school.

  • Student PII collected and stored on the dashboard is used solely for user management purposes. This information will never be shared, sold, or used beyond the agreed-upon services, which include providing access to the START dashboard, the Student Resource Library, and the START Newsletter.

  • The PII of any user added to a school's START account is collected and stored solely for user management purposes. This information will never be shared, sold, or used beyond the agreed-upon services, including providing access to the START dashboard, inviting users to the Community, and sharing the START Newsletter.

    Ed Law 2-d Compliance

  1. Data Security and Privacy Plan

    • Our platform operates under a comprehensive data security and privacy plan that safeguards all PII from unauthorized access or misuse.

  2. Cyber Incident Plan

    • We have implemented a robust cyber incident and breach response plan to quickly identify, address, and mitigate any potential security threats. Schools are promptly notified in the event of a data breach involving PII.

  3. NIST Cybersecurity Framework Compliance

    • We adhere to the NIST Cybersecurity Framework, ensuring a proactive and standardized approach to managing data security risks. This includes but is not limited to:

    • Periodic risk assessments to evaluate potential vulnerabilities.

    • Defined roles and responsibilities within the Incident Response Team (START and Maalka teams)

    • Implementation of safeguards to ensure the delivery of services, including:

    • Access Control:

      • Strong password policies and multi-factor authentication (MFA) for all START platform users is ensured through Okta.

      • Access to sensitive data is limited to authorized personnel only.

    • Data Security: All START data is secured on a dedicated server managed by Maalka with encryption at rest and in transit. Backup data is encrypted and stored in secure, password-protected systems.

    • Awareness and Training: Authorized START administrators receive cybersecurity training and sign the START Data Privacy Policy.

    • Maintenance: Maalka performs scheduled security audits and penetration tests, and software and systems are regularly updated by Maalka to address known vulnerabilities. 

    • Cyber Incident Response Plan: START’s CIRP, agreed to by the START and Maalka teams, outlines containment, eradication, and recovery processes.

    • Recovery Planning: Secure backups are stored on a secure Maalka server.

  4. Limited Access to PII

    • Access to PII is restricted to authorized personnel on the START and Maalka teams who require it to add and manage users in START. All personnel are trained in data privacy protocols to maintain compliance.

  5. No Commercial Disclosure

    • PII will never be disclosed to third parties for non-educational or commercial purposes.

Vendor Bill of Rights

As a vendor supporting New York schools, we uphold the rights of schools and their communities by adhering to the Ed Law 2-d Bill of Rights. This includes:

  • Exclusive Purpose for Data Use: All data collected is used solely for the purpose of administering the START program, as agreed upon by a participating school.

  • Subcontractor Oversight Plan: Maalka, our partner and the software developer for START, are trained in data privacy and security and adheres to all applicable data privacy standards.

  • Data Disposal Plan: PII is securely deleted or destroyed upon contract termination, ensuring no unauthorized retention of sensitive information.

  • Data Accuracy and Correction: Schools may request corrections to data to maintain accuracy and ensure fair representation.

  • Security Protections: Industry-standard encryption, access controls, and secure storage protocols are employed to safeguard all data.

  • Data Location Transparency: Information about where data is stored and processed is available to schools upon request - contact start@greenschoolsallince.org

  • Encryption Practices: All PII is encrypted both at rest and in transit to ensure data remains protected.

START: GDPR Compliance (EU)

GDPR Compliance (EU)

The General Data Protection Regulation (GDPR) is a data privacy and security law enacted by the European Union (EU). It applies to all organizations operating within the EU, as well as those outside the EU that offer goods or services to individuals within the EU. The GDPR is designed to protect the personal data and privacy of EU residents.

You have the right to request that the GSA and Maalka delete any of your personal information that they collected from you and retained.

We collect and use your Personal Data only where:

  • We need it to operate and provide you with our products and services, provide customer support and personalized features, and to protect the safety and security of our products and services;

  • It satisfies a legitimate interest of Maalka’s (which is not overridden by your data protection interests), such as for research and development, to provide information to you about our products and services that we believe you and your organization may find useful, and to protect our legal rights and interests;

  • You give us consent to do so for a specific purpose; or

  • We need to comply with a legal obligation.

Community: Data Privacy & Security Overview

The GSA Community is a peer-to-peer network and online community for adult (18+) school sustainability champions. It includes discussion forums, private messaging within the community, and a library of recommended resources. The GSA Community is hosted on the Mighty Networks (MN) platform, and administered by the core START Team.

You have the right to request that Mighty Networks delete any of your personal information that they have collected from you and retained.

IMPORTANT: To safeguard the privacy and security of minors, no student under 18 years is permitted in the Community or in its Collaboration Groups. Students can access resources via the START Student Hub.

1. What information is collected?

By START:

  • First name, last name, and email address.

  • Additional information, added manually by individual user: Over 18 years old (yes/ no), affiliated organization name, city, state and country; school role.

By Mighty Networks:

  • According to Mighty Networks, the only information that MN collects from Members for their own purposes is IP Address and mobile device ID. Additional information can be found in Mighty Networks' Privacy and Security Policy.

2. When and how is this information used?

  • The START Team and Mighty Networks collect information for legitimate interests, which include the following:

    • Provide Services. To provide you and your Hosts (START) the Service they offer, communicate with you about your use of the Mighty Network, respond to your inquiries, provide troubleshooting, and for other customer service purposes.

    • Performance of a Contract. To fulfill an agreement between you and Mighty Networks, you and your Host (START), or you and a third-party offering services on the Mighty Network.

    • Personalization. To personalize your experiences while using the Mighty Networks Platform.

    • Analytics. To gather metrics to better understand how users access and use the Mighty Networks Platform; to evaluate and improve the Mighty Networks Platform, and to develop new products and services.

    • Comply with Law. To comply with legal obligations, as part of their general business operations, and for other business administration purposes.

    • Prevent Misuse. Where they believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of the Mighty Networks Terms of Use or this Privacy Policy.

3. Sharing of School Identity as a START Participant (START schools only):

  • If a school has joined START, that school’s name and address are used to identify your school as a START participant in the START Schools Directory (housed in the Community).

  • A School’s Main START User and Supporting User are added to a collaborative group within the Community for START Schools in their region. In this group, users are identified by their first and last name, and any information they choose to share with the group.

  • Schools and individuals can opt out any time by contacting start@greenschoolsalliance.org.

4. Express Permission for Identification in Case Studies:

  • In the event of considering a particular school for a case study, START will obtain express permission from the school, represented by their Main START User, prior to any publication of a case study that includes the school’s identity.

5. Inclusion in the START Schools Directory:

The START Schools Directory within the Community enables participants to explore other schools' START Performance. This has the benefit of supporting collaboration and sharing of best-practices, as well as creating a spirit of friendly competition between schools.

  • For each school participating in START, the following information is shared in the START Directory: school location, school type, the START Scorecard, and a list-view of the school’s achievement (Tier 1, Tier 2, Tier 3) for each metric.

  • If the school selects full participation in the Directory, the school’s name and Main START Contact will be included.

  • If the school selects anonymous participation, the school will be referred to generically in the Directory (e.g., "School A, Private Co-ed in California"), and the Main START Contact’s details will be excluded.

  • Authorized members of a school’s START program can adjust preferences any time by contacting start@greenschoolsalliance.org.

Community: New York State Ed Law 2 Compliance

The Community is hosted on the Mighty Networks platform and administered by the core START team (“Hosts”).

  • START will never sell or share your personally identifiable information (PII) with third parties for marketing or any purposes beyond providing invited or added users with access to the Community and its collaboration spaces, as well as sharing program updates and recommended resources.

  • Mighty Networks does not sell your data and adheres to standards outlined in the CPPA and GDPR.

NOTE: Only adult schools members (18+) are invited to join the Community. Students can access resources via the START Student Hub.

All members are strongly advised not to post any sensitive personal information in the Community.

Ed Law 2-d Compliance

  1. Data Security and Privacy Plan

  2. Cyber Incident Plan

    • Mighty’s software engineers complete regular API reviews and code reviews to address security issues upfront. In addition, a full suite of tests runs in our Continuous Integration (CI) systems to verify the security measures that have been put in place continue to function on an ongoing basis. Read more here.

  3. NIST Cybersecurity Framework Compliance

    • According on the detailed measures outlined in their data processing addendum, Mighty Networks’ practices adhere to those outlined in the NIST Cybersecurity Framework.

    • Governance: Mighty Networks employs measures for internal IT and IT security governance and management, including an Information Security Roles and Responsibilities Policy, Information Security Policy, and Operations Security Policy. (Learn more in the MN Data Processing Addendum)

    • Protections: Read about Mighty Networks’ safeguards 6.1: Security Measures.

    • Cybersecurity risk detection: According to their Security FAQs, Mighty Networks conducts penetration testing for proper security enforcement through an automated testing suite. They also regularly upgrade all software packages/dependencies in order to prevent security vulnerabilities due to third-party code.

    • Restricted access: Access to PII is restricted to authorized START personnel who require it to add and manage users in the Community. Additionally, Mighty Networks outlines third-party access in Section 3 of their CPPA Compliance notice.

  4. No Commercial Disclosure

    • Mighty Networks affirms that it does not sell your Personal Information. (Section 4: CPPA)

Vendor Bill of Rights

As a vendor supporting New York schools, we uphold the rights of schools and their communities by adhering to the Ed Law 2-d Bill of Rights. This includes:

  • Exclusive Purpose for Data Use: Mighty Networks does not sell your data. Information is collected for legitimate interests outlined here.

  • Subcontractor Oversight Plan: Refer to section 3 of the Mighty Networks Data Processing Addendum.

  • Data Disposal Plan: PII is securely deleted or destroyed upon contract termination, ensuring no unauthorized retention of sensitive information. According to Mighty Networks’ privacy policy, data is soft-purged initially in order to allow recovery from any mistakes. In addition, old soft-purged data will be permanently deleted on a periodic basis.

  • Data Accuracy and Correction: To keep your Personal Data accurate, current, and complete, please update your account settings or contact Mighty Networks (help@mightynetworks.com). You can also contact the Mighty Networks Help Desk within your account.

  • Security Protections: According to 11. Security of your Personal Data, Mighty Networks “use[s] appropriate technical and organizational measures including encryption, aggregation, and pseudonymization to protect your Personal Data provided via the Service from loss, misuse, and unauthorized access or use, disclosure, alteration, or destruction. Read more about Mighty Networks’ safeguards in 6.1: Security Measures.

  • Data Location Transparency: According to Mighty Networks, all data is stored in Amazon Web Services (AWS). For more information, please see here.

  • Encryption Practices: According to Mighty Networks, all PII is encrypted both at rest and in transit to ensure data remains protected:

    • All communications with the service are encrypted through HTTPS using TLS1.2 or higher.

    • Member and Host content is encrypted at rest on AWS.

    • All user passwords have an extra layer of encryption when at rest with a one-way hash, which cannot be reversed.

    • Mighty Networks does not backup or store physical media. Backups are handled in AWS.

Community: CPPA Compliance

The California Consumer Privacy Act of 2018 (CCPA) requires platform providers to disclose information regarding the categories of Personal Information that they have collected about California consumers, the categories of sources from which the information was collected, the business or commercial purposes (as those terms are defined by applicable law) for which the information was collected, and the categories of parties with whom they share it.

The Community is hosted on the Mighty Networks platform. You can readabout Mighty Networks’ CPPA-Compliance here.

Community: EU Compliance

The Community is hosted on the Mighty Networks platform and administered by the Core START Team.

  • START will not sell your personal data – such as your name and contact information – to third parties to use for their own marketing purposes. All data collected is used solely for the purpose of administering the Community.

  • According to their GDPR Compliance Summary, Mighty Networks does not sell your personal data – such as your name and contact information – to third parties to use for their own marketing purposes.

According to Mighty Networks, information is collected for legitimate interests, which include the following:

  • Provide Services. To provide you and your Hosts (START) the Service they offer, communicate with you about your use of the Mighty Network, respond to your inquiries, provide troubleshooting, and for other customer service purposes.

  • Performance of a Contract. To fulfill an agreement between you and Mighty Networks, you and your Host (START), or you and a third-party offering services on the Mighty Network.

  • Personalization. To personalize your experiences while using the Mighty Networks Platform.

  • Analytics. To gather metrics to better understand how users access and use the Mighty Networks Platform; to evaluate and improve the Mighty Networks Platform, and to develop new products and services.

  • Comply with Law. To comply with legal obligations, as part of their general business operations, and for other business administration purposes.

  • Prevent Misuse. Where they believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of the Mighty Networks Terms of Use or this Privacy Policy.

Read more about Mighty Networks’ EU-Compliance here.

Questions? Contact start@greenschoolsalliance.org