Please see my answers below. Carl Sorensen
------------------------------ > *From:* RAJATPREET SINGH > *Sent:* Thursday, March 27, 2025 2:30 PM > *To:* lilypond-user@gnu.org <lilypond-user@gnu.org> > *Subject:* Lilypond DDSB Oboarding. > > Hi, > > I am the Cybersecurity Analyst for the Durham District School Board in > Ontario. Our board is planning to onboard *Lilypond *for use by our staff > and students. As part of the process, we are conducting a security > assessment of the application, specifically reviewing its Privacy Policy > and Terms of Agreement concerning the collection of personally identifiable > information (PII). Could you please assist in clarifying the following > points? > > > Data Collection: > What PII and PHI is collected from staff? > No PII nor PHI are collected from staff > What PII and PHI is collected from students? > No PII nor PHI are collected from students > What PII and PHI is collected from parents? > No PII nor PHI are collected from parents > Can student accounts be made using only first and last name initials or > pseudonyms? > No accounts are used for Lilypond. > > > Account Creation and Management: > No accounts are used by LilyPond, so this section is not applicable. > Can accounts be created and controlled by teachers/schoolboard? > Can student accounts be modified by the students? What can they change? > Can users delete their accounts independently, or is contacting support > necessary for account deletion? > Is data retained even after an account is closed and for how long? > Is it possible to sign in and sign up using SSO? > Does the user authentication process include MFA? > > > Data Storage and Infrastructure: > Where is the data stored? (e.g., AWS, Azure, local server) > Data is stored on the computer that has LilyPond installed. > What is the physical location of the server? (Canada, US, UK, other) > There is no server. LilyPond does not have a client-server architecture. It is software on the local computer. > How is data secured both in transit and at rest? What encryption standards > are applied? > Whatever encryption standards are used on the local computer apply to LilyPond data. > > > Data Sharing and Privacy: > Do you sell user data to third parties? > We neither collect nor sell user data > Is user data shared with any third parties? If so, for what purposes? > We neither collect nor share user data > Are there advertisements on the platform? > There are no advertisements. > What is the minimum age requirement for users of the app? > There are no age requirements. > > Compliance: > Are you compliant with any recognized standards or frameworks (e.g. SOC1, > SOC2, MFIPPA, BILL 194, GDPR, CCPA, COPPA, etc.)? > We do not work in an environment where these items apply. > > > Looking forward to hearing from you > > > Regards, > > *Rajatpreet Singh * > > I.T Security Analyst > > Durham District School Board > > 400 Taunton Rd. East, Whitby, ON L1R 2K6 > > Tel: 905.666.7912 > > *DDSB Staff - Visit the **IT Service Portal > <https://durhamschboard.service-now.com/help/>** for support * > > > > > > This email communication is intended as a private communication for the > sole use of the primary addressee and those individuals listed for copies > in the original message. The information contained in this email is private > and confidential and if you are not an intended recipient you are hereby > notified that copying, forwarding or other dissemination or distribution of > this communication by any means is prohibited. If you are not specifically > authorized to receive this email and if you believe that you received it in > error please notify the original sender immediately. >
