Privacy Policy
Last updated: February 1, 2026
1. Overview
MOSAIC ("Multilingual Outcomes & Student Assessment for Instructional Clarity") is operated by Lerno Co. This Privacy Policy describes how we collect, use, store, and protect personally identifiable information (PII) of students, parents, teachers, and school administrators who use the MOSAIC platform. MOSAIC is designed exclusively for educational purposes and complies with applicable federal and state privacy laws.
2. Legal Compliance
MOSAIC is designed and operated in compliance with:
- FERPA — Family Educational Rights and Privacy Act (20 U.S.C. § 1232g)
- COPPA — Children's Online Privacy Protection Act (15 U.S.C. §§ 6501-6506)
- NYS Education Law § 2-d — Student Data Privacy and Security
- NYCPS Parents' Bill of Rights for Data Privacy and Security
- NIST Cybersecurity Framework v2.0 — Security safeguard alignment
3. Data We Collect
We collect only data necessary for educational assessment purposes:
| Data Element | Purpose | Shared Externally? |
|---|---|---|
| Student Name & Email | Identity, authentication | No |
| Grade Level | Grade-appropriate assessment | No |
| School / District | Multi-tenant data isolation | No |
| Assessment Responses | Scoring, growth tracking | No |
| Audio Recordings (Speaking) | Speech evaluation | Yes — OpenAI (processing only) |
| Teacher Name & Email | Class management | No |
| Parent Name & Email | Portal access | No |
| IP Address | Audit logging, security | No |
4. How We Protect Data
- Encryption in Transit: All data is transmitted via TLS 1.2+ (HTTPS)
- Encryption at Rest: AES-256 encryption on MongoDB Atlas storage
- Access Control: 5-tier Role-Based Access Control (Student, Teacher, School Admin, District Admin, Super Admin)
- Audit Logging: All security-relevant actions (login, grading, data access, impersonation) are logged with timestamps and IP addresses
- Session Security: HTTP-only, secure cookies with automatic expiration (24-hour TTL)
- Password Security: bcrypt hashing with salting
- Anti-Cheating: Tab-switch detection and exam lockdown during active assessments
- Security Headers: HSTS, CSP, X-Frame-Options (DENY), X-Content-Type-Options
5. COPPA & Parental Consent
For students under 13 (typically grades K-5), MOSAIC requires documented parental consent before assessment data is collected. Schools are responsible for obtaining and recording consent, which is tracked within the platform's COPPA consent management system. No data from students under 13 is shared with third parties for non-educational purposes.
6. Data Retention & Deletion
Student assessment records are retained for 7 years per NYS record retention guidelines, or as configured by the district. Upon request, individual student data can be permanently deleted from all MOSAIC systems. Disabled user accounts are automatically purged after a configurable grace period (default: 90 days). Districts may request bulk data deletion upon contract termination.
7. Parental Rights
In accordance with FERPA and NYS Education Law § 2-d, parents/guardians have the right to:
- Inspect all data held about their child via the Parent Portal data export
- Request correction of inaccurate records
- Request deletion of their child's data
- File a complaint with the school, NYSED, or the U.S. Department of Education
8. No Secondary Use
MOSAIC does not use student data for advertising, profiling, behavioral targeting, or any purpose beyond educational assessment. Data is never sold, rented, or shared for commercial purposes.
9. Breach Notification
In the event of a data breach affecting PII, Lerno Co. will notify affected schools and NYCPS within 24 hours of discovery, in compliance with FERPA and NYS Education Law § 2-d requirements. Breach reports are maintained in the platform's compliance audit trail.
10. Third-Party Subprocessors
MOSAIC uses a limited number of third-party services to operate. All subprocessors have signed Data Processing Agreements (DPAs) with equivalent privacy protections. See our Subprocessor List for details.
11. Contact
For privacy inquiries, data access requests, or to report a concern:
Lerno Co. — Privacy Office
Email: privacy@mosaicassessmentco.com
Web: mosaicassessmentco.com