Flag

Privacy Policy

Last Updated: May 24, 2023

Introduction

We are Caribou Contests Inc. We operate the Caribou Contests website (cariboutests.com), and we are committed to making math fun for everyone through contests, games, and other activities on our online education platform. This page is used to inform website visitors regarding our policies with the collection, use, and disclosure of Personal Information when using our products and services on the Caribou Contests website.
Please read this Privacy Policy as well as our Terms & Conditions carefully before using the Caribou Contests website. For the purposes of this policy, “Caribou”, “Us”, “Our” and “We” refers to Caribou Contests Inc. and “You” and “Your” refers to you, the client, visitor, website user or person using our website.

1 General Principles

As detailed in the remainder of these policies our cyber security rests on the following philosophies:

  • We only collect required information, enough to support our users well but not information that is irrelevant to our service. For example, we do not require an email address of a student, postal address, no telefone number or any other personal information. We ask students to register with their name but do not require verification. Students can use alias names or initials if that is their school’s policy.
  • We restrict access to the student data to only the student themselves and to their teacher, and we do even not give access to other teachers of the same school.
  • We are not providing an app. Nothing needs ever to be installed on phones or computers. Everything is a self contained website.
  • We make any critical notices available on the website which would be easily seen by all students/teachers if there was a reason to announce it. In addition, critical notices would be sent to coordinators by email.
  • Based on these principles we adhere to standard international legislation on freedom of information and protection of privacy. Relevant for participants in Canada, Caribou Contests complies with The Personal Information Protection and Electronic Documents Act (PIPEDA) which is the federal privacy law for private-sector organizations. Relevant to Ontario students, Caribou Contests complies with the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). For the purpose of US schools, the Children’s Online Protection of Privacy (COPPA) and the Family Educational Rights and Protection Act (FERPA) are adhered to as well.
2 External Evaluations

In the latest evaluation of RiskRecon (riskrecon.com) we reached a perfect score of 10/10 in all 9 categories: Software Patching, Application Security, Web Encryption, Network Filtering, Breach Events, System Reputation, Email Security, DNS Security and System Hosting.
 The Educational Computing Network of Ontario (ECNO) Cybersecurity group evaluated this site as very safe. Details can be seen on the ECNO site https://ecno.org/ by the 71 of 72 school boards of Ontario which subscribe to ECNO.

3 Data Stored

To summarize upfront, Caribou is not holding any data that could be used against students or coordinators (teachers).
 The following are all the data stored about schools, coordinators (teachers) and students. These data are NOT available on our website, only student results are available to the individual student and the direct coordinator(teacher) of the student, but not to other coordinators of the same school.

  • For each contact person (Teacher, librarian) apart from their email address and of course their password we only keep publicly available information for their institution (school/library):
     - name
     - email address (verified at time of entry)
     - the 128-bit MD5 hashed encoding of their password, not the password itself
     - phone number (optional)
     - any date of their choice to enable them to reset their password
     - Institution Name
     - Institution Address
     - City
     - Postal/Zip Code
     - Timezone
     - Schoolboard
  • For each student we store:
     - first name or initial of first name or alias first name
     - last name or initial of last name or alias last name
     - access code
     - selected options of contest questions
     - rank in contests they participated
     - submitted code in the coding contest
     - rights to access resorces or to participate in contests based on payments made
     - the list of completed worksheets of the optional GeomeTree online course to simplify continuing work in that mini course.
  • After the contest students can make comments and ask questions. Leaving their email address is optional only if they want a response.
  • We offer the service of reminding students of upcoming contests. The subscriber list is stored separately and is not linked to their account at all and they can remove their entry at any time.
  • Any email help request from anyone, for example, from administrators, teachers, parents and students, is deleted after being answered.
  • Information about our employees required by the Canada Revenue Agency is stored completely separately. They are not stored on computers which host the website or the database.

 We do NOT have a confirmed name of the student, their tel number, or address. We only have their email address if they voluntarily signed up on a subscription list for contest reminders or if they send comments and want a reply.
 All student data are accessible only by the student themselves and the their single coordinator(teacher) who downloaded the student’s access code. Following the law in some Canadian provinces, the student data are stored only at a Canadian Internet provider (vaxxine.com).
 The student access codes are not encrypted because they are needed by the single teacher who downloaded them, to hand them out to their students and to remind them when they are frequently forgetting their access code.

4 Data never obtained and thus not stored
  • Online payments are handled by PayPal, no credit card details and no PayPal account details are ever received.
  • We do not request and therefore not have any student details like real name, email address, home address, or tel number. We do have the email address of only those students who sent us questions to be answered by email.
  • We have no demographic information about students (sex, race) aside from school grade, beginning in the 2023-2024 school year. We use school grade data to provide an additional statistic and for students to better see how they compare against others in the same school grade.
5 Access to Stored Data

Only ’super admin’ have access to all data. Apart from Thomas Wolf, founder and CEO the only other persons with super admin priviledges are coop student programmers for the time of their 4 month employment. They have to sign a non-disclosure agreement before starting their employment.
 The only other access consists of students seeing their own results after signing in. Students can not see other student’s results. A teacher can only access their own students results, even not the results of other students of their school, i.e. teachers of one school can not see each other’s students results.
 Student accounts change every year, i.e. each year they get a new access code. Coordinators(teachers) can choose the students name and often use alias names or initials or a generic name with a number index. Coordinators can edit these names at any time, for example, for the purpose of printing certificates and then change the names back to initials or alias names. Access to results for one student over multiple years would require knowing multiple usernames and passwords which only the student and teacher can know.

6 Deletion of Data

Student data are not deleted because they regularly ask for their previous years results when applying to high school or university.
 In Summer 2023 before the start of the 2023/24 Cup an archival system will be established for student data that is maintained in perpetuity. The purpose will be twofold: 1) storing less data on the server so that in case of a hypothetical breach less data are at risk, 2) a smaller database will operate faster and requires less memory.
 Following the rules of HR Canada and CRA we also keep required data about our employees and contractors.

7 Data Safety

The database storing the above data is backed up every day at midnight. The whole website is backed up once per week.

8 Encryption of Page Communication

We protect against HTML and SQL injection for all forms on our website. We ensure that no user input can directly affect our code written for the website that can lead to any undesired behavior. This is done by sanitizing and validating user inputs, which ensures passed user-data does not manipulate database queries or pages.
 Sensitive user information such as passwords are encrypted, so they are secured at rest when stored in our database.
 Connections between visitors and the site are managed through Cloudflare. The default method of HTTPS transfer uses (SSL/TLS) encryption to disguise requests and responses to everyone except the parties involved in the transfer.
 Cloudflare also protects against DDoS attacks, such as request floods and botnet requests.

9 Breach Response Protocol

A breach of security, for example, through an unauthorized publication of student data has not happened since Caribou started in 2009. Nevertheless, in the hypothetical case of such a breach the following protokoll is activated.

9.1 Containment
  • We will instantly contact our Internet provider Vaxxine whether any breach is known on server level.
  • All passwords on all accounts of employees and contractors on our server wil be changed. This is possible because Caribou Contests is a small company with very few employees and contractors that are in constant contact with each other.
  • After inspection of the state of our database it is decided whether a daily prepared backup copy needs to be installed.
9.2 Notification
  • We have a number of email sending tools that allow to contact all coordinators or subgroups of them. In case of a breach of security we would contact all coordinators of schools that are affected, if necessary all. We would inform them about what is known about the breach and about the remediation plan.
  • Dependent on the nature of the breach we would inform coordinators and students by a popup window when they sign in.
  • Our 3rd communication channel is our Caribou News section on our home page. We use that regularly for any kind of news and would use it in this case too.
9.3 Remediation Plans

We would study how the breach can have happened and how it can be prevented in future.
 The following steps allow to restore security and access to coordinators and students. Our only data that could identify students are their names (or alias names) in combination with their access code. Schools with a school wide pass can download an unlimited number of new access codes, attach new student names of their choice to the new codes and merge student contest results from the old codes to the new codes and new names using the tool ’Merge Two Student Accounts’ on the coordinator page. This automatically removes the old (compromised) access codes with old attached name. Schools without school wide pass would receive a school wide pass without charge from Caribou to perform that change of access codes.
 All that teachers would have to do afterwards is to communicate the new names and access codes to their students.

10 Transparency

When a coordinator (teacher) signs in for the first time in a cup (after September 1), then they have to confirm and if necessary edit their personal account details (email address, school, tel number). They also have to acknowledge the Terms and Conditions including our Privacy and Cyber Security measures.
 If, against expectations, it should be necessary during the year to change the manner in which personal information is handled then users will be notified, coordinators through email and students when signing in.
 In previous years we issued a questionnaire at the end of a cup to get feedback on important future developments. We plan to keep that practice.

11 Third Parties

The only third-party services that have contact to secure data are:

  • Vaxxine (www.vaxxine.com) is our Internet provider (active as Internet provider for over 40 years) and has in theory access to all our data.
  • Cloudflare (cloundflare.com) operates a Content Delivery Network to reach users fast irrespectively where they are located (see section 8).
  • PayPal handles online payments but has no access to any non-financial data.

These 3 services have equivalent or better security safeguards than what we offer to users.

12 Contact

Please contact us under [email protected] if you have any questions or concerns about the Cyber Security of Caribou Contests.