This Educational Institution Privacy Addendum ("Addendum") supplements the MedAssent DDS Privacy Policy and applies specifically to educational institutions and their students, faculty, and administrators using the MedAssent DDS platform primarily in a de-identified, non-Protected Health Information (PHI) configuration, unless otherwise agreed in writing. In the event of any conflict between this Addendum and the general Privacy Policy, the terms of this Addendum shall control for educational institution deployments. 

​

I.  Scope of Educational Deployment

For educational institution customers, MedAssent DDS operates in a de-identified configuration that: 

•  Is configured to prohibit entry or storage of patient data or PHI, unless explicitly enabled under a separate agreement.

•  Does not include patient-facing mobile applications 

•  Does not process health information about real patients 

•  Focuses exclusively on educational and training purposes 

​

The following sections of the general Privacy Policy regarding patient information, PHI processing, HIPAA business associate relationships with dental providers, and patient-facing mobile app features do not apply to de-identified educational deployments as described in this Addendum. Educational institutions that elect to enable PHI processing will receive separate documentation addressing HIPAA compliance, business associate agreements, and additional data protection requirements. 

​

II.   Data Collection and Usage for Educational Institutions 

Information Collected: MedAssent DDS collects only the minimum personally identifiable information (PII) necessary for account administration: 

•  Student or faculty names 

•  Student or faculty email addresses 

•  User roles (student, faculty, administrator) 

•  Login credentials and authentication metadata 

•  Platform usage data (login timestamps, medication database lookups, educational activity metrics) 

​

Information NOT Collected: 

•  Patient names, contact information, or identifiers 

•  Protected Health Information (PHI) 

•  Student academic performance data or grades (except where custom learning assessments are specifically contracted) 

•  Social security numbers 

•  Financial information (for student accounts) 

​

III.   Data Retention

During Active Enrollment: Student roster information (names and email addresses) is retained throughout the period of active enrollment to support account administration, user authentication, and institutional management functions. 

​

After Account Deactivation: Student roster information and associated account data are deleted within one (1) year following account deactivation by the institution or earlier upon written request from the institution. 

​

Upon Contract Termination: All student account data is deleted within one (1) year of contract termination unless the institution requests earlier deletion or extended retention for legitimate educational purposes. 

​

This retention period supersedes the general data retention provisions stated in the MedAssent DDS Privacy Policy for educational institution deployments.

​

IV.   Data Access and Sharing​

Institutional Access: The institution's authorized faculty and administrative personnel may access student usage data upon request to MedAssent DDS. MedAssent DDS may provide this data in raw or aggregate form to support educational program evaluation and institutional oversight. Data provided includes platform engagement metrics, medication database usage patterns, and login activity, but does not include individual student assessment scores or grades unless custom learning assessments are part of the contracted services. 

​

Third-Party Subprocessors: MedAssent DDS relies on the following trusted third-party service providers for educational deployments: 

• Microsoft Azure: Cloud hosting, database services, website hosting, and secure file storage 

• SendGrid: Automated email communications (account notifications, password resets) 

• Wix: Automated email communications 

• Stripe: Payment processing (institutional invoicing only; not applicable to student accounts) 

• Apple App Store and Google Play Store: Mobile app distribution (only if mobile access is included in institutional contract) 

​

These subprocessors do not have access to student account data or usage information except as necessary to perform their specific technical functions. None of these providers receive student information for their own business purposes.

​

No External Sharing: Student information is not disclosed to any third parties outside the institution, MedAssent DDS, or the subprocessors listed above. Student data is not used for marketing purposes, sold to third parties, or shared with other educational institutions. 

​

V.   FERPA Compliance​

While MedAssent DDS does not store or process student academic performance data in standard educational deployments and therefore does not directly fall under the definition of a Family Educational Rights and Privacy Act (FERPA) "school official" with access to education records, MedAssent DDS implements protections consistent with the FERPA security principles:

• Secure Transfer: All data transmission occurs over encrypted channels (TLS 1.2 or higher) 

• Limited Access: Only authorized MedAssent DDS personnel (two administrators and one developer) have access to production systems containing student data 

• Minimum Necessary Standard: Only names and email addresses are collected for account provisioning 

• Prohibition on Unauthorized Disclosure: Student information is never shared with unauthorized parties 

• Institutional Control: The educational institution retains the right to request deletion of student data at any time 

​

If Custom Learning Assessments Are Contracted: Should the institution elect to use MedAssent DDS's custom learning assessment services (where MedAssent DDS creates and grades quizzes on behalf of faculty), student quiz responses and grades may be considered education records under FERPA. In such cases, MedAssent DDS acts as a "school official" with legitimate educational interests, and additional FERPA compliance measures are documented in a separate addendum. 

​

VI.   Student Rights​

Students or their legal guardians have the right to: 

• Access: Request a copy of their account information and usage data 

• Correction: Request correction of inaccurate account information 

• Deletion: Request deletion of their account and associated data at any time 

• Portability: Request their data in a machine-readable format for transfer to another service 

• Objection: Object to processing of their information for purposes beyond core educational services 

​

Requests should be submitted to dds@medassent.com or through the institution's designated administrator. 

​

VII.   Security Measures

MedAssent DDS implements technical, organizational, and administrative safeguards aligned with HIPAA Security Rule standards:

• Encryption: All data in transit (TLS 1.2+) and at rest (Azure Transparent Data Encryption) 

• Access Controls: Multi-factor authentication for all administrative access; role-based authorization throughout the platform 

• Monitoring: Comprehensive logging of access attempts, administrative activities, and system events 

• Incident Response: Formal incident response plan with procedures for breach notification 

• Personnel Security: Background checks and privacy training for all personnel with system access 

​

VIII.   Data Breach Notification

In the event of a security breach involving student information, MedAssent DDS will: 

•  Notify the institution's designated contact within 72 hours of discovering the breach 

•  Provide details about the nature of the breach, affected data, and remediation steps 

•  Cooperate fully with the institution's breach response procedures 

•  Notify affected students directly if required by applicable law or requested by the institution 

​

IX.   Service Providers and Updates

Current Subprocessors: The list of subprocessors in Section 4 is current as of the effective date of this Addendum. 

​

Changes to Subprocessors: MedAssent DDS will notify the institution at least 30 days in advance of adding new subprocessors or materially changing data handling practices. The institution may object to such changes within this notice period. 

​

Updates to This Addendum: MedAssent DDS may update this Addendum to reflect changes in legal requirements, security practices, or service features. Material changes will be communicated to institutional customers with at least 30 days notice. 

​

X.   Contact Information

For questions, requests, or concerns regarding student data privacy: 

Email: dds@medassent.com

Privacy Contact: Lauren Fang, President

Direct Email: lauren.fang@medassent.com

Mailing Address:

MedAssent DDS Inc.

10635 Santa Monica Blvd. Ste 100

Los Angeles, CA 90025  

​

XI.   Governing Documents

This Addendum is incorporated into and governed by the terms of the institutional service agreement between MedAssent DDS Inc. and the educational institution. In the event of any conflict between this Addendum and the general MedAssent DDS Privacy Policy, the terms of this Addendum shall control for educational institution deployments.