Data Privacy and Security

Our commitment

At Rosetta Stone, we are committed to safeguarding our customers' privacy while providing a personalized and valuable service. As reflected in our privacy policies, we use personal data of our customers and users to provide support and continually improve our language and literacy products and services, and to inform our customers and users about those products and services. We are committed to protecting the privacy and security of the personal data of our customers and users, and to working with service provider partners that are similarly committed to the protection and privacy of personal data they process on our behalf.

Information technology and security practices and protection

A robust information security program is integral to any company-wide commitment to data privacy. Our information security program is designed to reflect our commitment to safeguarding the personal information we receive in an appropriate manner while providing tailored and valuable services. We review our information security program at least annually, with the goal of continually updating or modifying our policies, procedures, and/or the security measures within our information security program to enable us to continue to improve the overall security of our products, services, information systems and operations.

Our information security program is designed to incorporate and address physical, administrative, and technical and organizational security measures in a manner appropriate to the size and complexity of our company, the nature and scope of our services and activities, and the sensitivity of the personal data we process. Under our program, technical and organizational measures for protecting data within our systems include: (i) firewalls and threat detections systems to identify malicious connection attempts to block spam, viruses and unauthorized intrusion: (ii) physical networking technology designed to resist attacks by malicious users or malicious code;and (iii) encryption of data while in transit over public networks and at rest using industry standard protocols.

As part of our information security program, we undergo various annual corporate audits and reviews (e.g., PCI-DSS certifications, etc.), and our overall information security program and our technical and organizational security measures are SOC 2 audited annually to assess and confirm the design and implementation of our information security program. In addition, we continually monitor for compliance and conduct additional internal reviews to identify potential gaps or areas of improvement to protect against reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of the personal data that could result in the loss, misuse, unauthorized access, disclosure, alteration, or destruction of the personal data and/or Rosetta Stone's hardware or software on which such personal data resides.

Training

To ensure that data privacy and security remain a top priority, all employees receive mandatory data privacy and security awareness training quarterly, with additional targeted data privacy and security training provided to specific practice groups and individuals throughout the year.

Oversight

To help enhance and ensure oversight and accountability within our organization, we've appointed a Data Protection Officer responsible for the oversight of data privacy and security awareness and leading our compliance efforts. Our Data Protection Officer reports directly to the Rosetta Stone executive management team, where information security is regularly discussed.

Privacy policy

Further detailed information on data processing, cookies, and our practices for data privacy and security is available from the privacy policy found on each Rosetta Stone website and within the applicable Rosetta Stone product or application. We review our privacy policies and commitments at least annually, and, if we should make any material changes to those privacy commitments, we will notify our customers and users by email, prominent notice on the website, or as otherwise provided in the policy.

As provided under applicable laws, (notably, as examples, under the E.U. General Data Protection Regulation (GDPR) and/or the California Consumer Privacy Act (CCPA), individuals (“data subjects”) subject to such laws have specific rights with respect to controlling their own personal data, which rights may include, but not be limited to, the right to request access to, correction, deletion or export of, or restriction on certain uses of, their personal information.

We have implemented procedures to efficiently intake, track, and address these Subject Access Requests, in accordance with legal requirements. Information, instructions, and links to submit a Subject Access Request are available on our websites and in our privacy policies.

In addition to licensing product subscriptions directly to individual consumer users, Rosetta Stone has designed and licenses certain of its language-learning solutions for use under an Enterprise licensing model.

Data controller / data processor

If you are a corporate, educational, government and other institution that licenses access to our products for your users under an enterprise model, your organization is and remains the controller of the personal data of all of your organization's users. Rosetta Stone acts and complies with its obligations as a data processor, under the direction and instructions of our enterprise clients as reflected in our Enterprise license and service agreement, and our Data Processing Addendum, which is incorporated into our Enterprise license terms.

Rosetta Stone enterprise and education solutions: subprocessors

Rosetta Stone utilizes certain service provider subprocessors and/or affiliates to enable us to provision and support our enterprise and education products and services to all of our enterprise and education licensees and their learners. Our service providers are carefully selected and engaged under contractual commitments of data privacy, security and data processing, and compliance obligations that support our obligations to our enterprise and education clients. Consistent with our own obligations, we remain responsible to our enterprise and education clients for our service provider subprocessors with respect to their role in supporting our products and services to our clients. If you are an enterprise and education client and would like to see the current list of subprocessors for our Rosetta Stone Language Enterprise and education products and services, please Click Here. If you would like to subscribe to receive notifications to any update to this list, please Click Here.

We are committed to maintaining the privacy of our customers while also honoring proper legal requests for data and cooperating with the appropriate law enforcement. Rosetta Stone will only respond to formal, legitimate, and mandatory legal orders for production of data by the appropriate official law enforcement entity or agency. Rosetta Stone reviews all requests to ensure that procedures have been followed and the request includes all requisite identifying information to accurately and narrowly identify the information to be produced.

If proper procedure and support is presented, Rosetta Stone will strictly limit the disclosure of information to the scope of the order, and may choose to redact portions where appropriate or request a protective order if necessary to keep the information confidential.

To the extent legally permitted, Rosetta Stone shall promptly notify an individual if it receives a legally binding request or demand from any law enforcement agency, governmental agency, court, or other authority for any Personal Data provided to us.

We encourage all of our customers to take precautions to protect their accounts and personal information.

Phishing

• Do not click on links or attachments in an email that seem questionable to you
• Keep your antivirus software up to date as it will help to detect and block malware

Passwords

• Keep your passwords private and do not share them with anyone
• When creating a password, do not use anything that could be easily determined from information on your social media or other public information
• Do not repeat the same password for multiple accounts

Visit the Federal Trade Commission website for even more in-depth tips and resources on keeping your information and technology secure.

StaySafeOnline provides practical tips and resources from the federal government and the technology industry.

For practical tips for businesses on creating and implementing a plan for safeguarding personal information, the Federal Trade Commission has provided helpful guidance, available at https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business.

If you have questions or would like additional information regarding Rosetta Stone's privacy and security practices you may email us at [email protected].