What is LTI 1.3 and why does it matter?

LTI 1.3 is the latest standard for connecting tools to your LMS. It enables SSO, grade passback, and deep linking so Scaffold works seamlessly inside Canvas, Moodle, or Blackboard.

Do I need developers or IT support?

No. Most educators complete the LTI setup themselves in under 10 minutes using our guided wizard.

Can I migrate existing content?

Yes. Scaffold imports Common Cartridge, QTI, SCORM packages, and plain HTML.

Is student data safe?

Absolutely. SOC 2 Type II compliant, FERPA-aligned, GDPR-ready. Data encrypted at rest and in transit.

What happens after the waitlist?

We onboard teams in small batches. Waitlist members get founding-member pricing and priority onboarding.

Privacy Policy

Last updated: 13 March 2026

1. Who We Are

BrainJam ("we", "us", "our") operates Scaffold, an LTI 1.3 content authoring platform for education. Our website is brainjam.works.

Data Protection Officer: You can contact our DPO at [email protected].

2. How This Policy Applies

This policy explains how we handle personal data in two contexts:

As a Data Controller — when you visit our website, join our waitlist, or contact us directly. We decide what data to collect and why.
As a Data Processor — when educational institutions use Scaffold via LTI integration. The institution is the controller; we process data on their behalf under a Data Processing Agreement (DPA).

3. Data We Collect

3.1 Website Visitors (Controller)

Data	Purpose	Lawful Basis
Email address, name, role	Waitlist registration	Consent
Email address	Responding to enquiries	Legitimate interest
IP address, browser type, pages visited	Website analytics and security	Legitimate interest
Cookie identifiers	Essential site functionality	Strictly necessary / Consent (non-essential)

3.2 Platform Users via LTI (Processor)

When an institution deploys Scaffold through their LMS, the following data may be transmitted via LTI 1.3:

Data Category	Examples	Source
User identity	Name, email, LTI user ID	LMS via LTI launch token
Roles	Learner, instructor, administrator	LMS via LTI launch token
Course context	Course ID, course title, section	LMS via LTI launch token
Assessment data	Answers, scores, grades	User interaction with Scaffold
Content data	Authored content, media uploads	Instructor activity in Scaffold
Usage data	Timestamps, interaction logs	Platform activity

We process this data solely on the institution's instructions as set out in our Data Processing Agreement. We do not use institutional data for our own purposes, advertising, or profiling.

4. How We Use Your Data

4.1 Website (Controller purposes)

Process waitlist registrations and send product updates
Respond to support enquiries
Analyse website usage to improve our service
Ensure website security and prevent abuse

4.2 Platform (Processor purposes)

Authenticate users via LTI 1.3 / OpenID Connect
Deliver authored content to learners
Store and manage course content
Process and store assessment responses
Transmit grades back to the LMS via LTI Assignment and Grade Services

5. Data Sharing and Sub-processors

We do not sell personal data. We share data only with the following categories of recipients:

Infrastructure provider: Amazon Web Services (AWS) — hosts our platform. See our sub-processor list.
The institution: Grades and assessment data are returned to the LMS via LTI grade passback.
Legal requirements: We may disclose data if required by law, court order, or to protect our legal rights.

We maintain a list of sub-processors and will notify institutional customers before adding new sub-processors, providing the opportunity to object.

6. International Data Transfers

Our primary infrastructure is hosted in AWS EU regions (Ireland / Frankfurt). Where data is transferred outside the European Economic Area or United Kingdom, we rely on:

EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision 2021/914
UK International Data Transfer Addendum to the EU SCCs
Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework)

7. Data Retention

Waitlist data: Retained until you unsubscribe or the waitlist closes, plus 30 days.
Platform data (institutional): Retained for the duration of the institution's contract. Upon termination, data is deleted or returned within 90 days at the institution's choice, as specified in the DPA.
Server logs: Retained for 90 days for security and debugging.
Analytics data: Aggregated and anonymised after 26 months.

8. Your Rights

8.1 Under GDPR / UK GDPR

If you are in the EEA or UK, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion ("right to be forgotten")
Restriction — limit how we process your data
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent

Contact [email protected] to exercise these rights. We will respond within 30 days.

You also have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

8.2 Under CCPA / CPRA (California)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Delete your personal information
Correct inaccurate personal information
Opt out of the sale or sharing of personal information
Non-discrimination for exercising your rights

We do not sell or share personal information as defined by CCPA/CPRA.

8.3 For Students (FERPA)

If your institution uses Scaffold, your education records are protected under FERPA. To exercise your rights regarding education records (access, amendment), contact your institution directly — they are the data controller. We will assist your institution in responding to your request.

9. FERPA Compliance

When US educational institutions use Scaffold, we act as a "school official" with a "legitimate educational interest" under FERPA. We commit to:

Using education records solely for the purposes authorised by the institution
Not re-disclosing education records without the institution's written permission
Allowing the institution to retain direct control over education records
Deleting or returning education records upon contract termination
Implementing appropriate security safeguards (encryption, access controls, audit logging)

10. Children's Privacy

Scaffold is designed for higher education institutions and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, contact us at [email protected] and we will delete it.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access controls, and regular security assessments. See our Security page for details.

12. Automated Decision-Making

We do not use personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (for registered users) or a prominent notice on our website. The "Last updated" date at the top reflects the most recent revision.

14. Contact Us

For questions about this policy or to exercise your rights:

Data Protection Officer: [email protected]
General enquiries: [email protected]
Website: brainjam.works