Links
About
Hypothesis is a tool that enables you to make notes in the margins of digital texts anywhere on the web and share them with others. Using social annotation fosters collaborative discussion, critical thinking, and a deeper understanding of readings.
Accessibility
Inclusivity and availability have always been central to our mission. We’ve worked hard to design and develop Hypothesis to reduce geographic, financial, or logistical barriers to users who want to read and write annotations on the web. That’s why Hypothesis is built on open web standards, will always be free to use, and works on a wide range of formats and platforms.
Security
| HECVAT status: |
Completed |
| Data encryption: |
We use TLS v1.3 to encrypt data in transit. We employ AWS encryption of Elasticsearch and RDS (our database) for encryption at rest. |
| Countries of data storage |
USA |
| Data storage method |
Data is stored in Amazon, AWS owned data centers. |
| Data retention policy |
Data is retained as long as the user accounts remain active. Application log files are retained for 14 days in Papertrail, our 3rd party logging service. |
| Incident management program, policy, and testing |
Hypothesis Incident Response Plan is here: https://docs.google.com/document/d/1gWVUNF_sW1PpZg0np2ttnBQsqr9ThKRFcww94IkvGl0/edit |
| Disaster recovery and business continuity plan and testing |
We have a business continuity plan tested annually, and a formal disaster recovery policy that is under development. |
| Security Standard Certificates |
Our AWS SOC3 report is available here: https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf |
| Third party testing and security controls practices |
Our third party supplier review process includes a review of their security posture. This includes third-party attestations and audit reports. |
Privacy
| Privacy policy link |
https://web.hypothes.is/privacy/ |
| COPPA policy link |
|
| Privacy department/officer contact: |
Arti Walker-Peddakotla, artijwalker@hypothes.is |
| Types of data collected |
Hypothesis uses the first name and last name of the user, the name of the course, the role of each person within that course to determine the person's role within a Hypothesis annotation group, and to display the name of each person who has written an annotation in the application. |
| Personally identifiable or personal data collected |
See above. |
| Data Deletion Request Process |
You would email support@hypothes.is with your request. Database entries would be deleted en masse from production databases if Institution contracts are terminated. Institution information may persist in backups and logs for as long as 30 days at which point they are permanently deleted. |
| Third Party Data Sharing & Opt-out |
Hypothesis does not sell any data to third parties, and only partners with those third parties needed to run our service. |
| Cookies or Tracking Technologies used |
No cookies/tracking technology is used |
| Analytics performed on Customer Data |
We use Metabase to run analytics on user data for internal business purposes only |
| Data correlation practices |
N/A |
| Privacy Certifications or Seals |
We do not have any privacy certifications at this time |
| Targeted Advertising using user data |
Our service does not have targeted ads |
| Privacy or data protection impact assessments |
We perform a third-party security audit annually, with the last external pen test performed in October 2020 |
| Privacy Law Compliance |
We are FERPA and GDPR compliant |
Integration Instructions
https://web.hypothes.is/help/lms-app-canvas/
