> Hi, > > I'm following up on my previous email to check if there have been any updates > regarding the questions I sent. > > Regards, > Rajatpreet Singh
Hi Rajatpreet, > Our board is planning to onboard Lilypond for use by our staff and students. As > part of the process, we are conducting a security assessment of the > application, specifically reviewing its Privacy Policy and Terms of Agreement > concerning the collection of personally identifiable information (PII). Could > you please assist in clarifying the following points? That is great to hear. Lilypond is a strictly old school open source application. It does not communicate with any remote resource whatsoever. Logically nothing you do leaves the computer you are using, and Lilypond does keep neither an online nor an offline profile. As Lilypond’s source code is freely accessible and not particularly complex this can be easily verified. > Data Collection: > What PII and PHI is collected from staff? > What PII and PHI is collected from students? > What PII and PHI is collected from parents? > Can student accounts be made using only first and last name initials or > pseudonyms? Lilypond does not have the concept of accounts, it does not sell anything, and does collect no data. Lilypond is open source and free to use for anyone and forever. It is a just an offline application. > Account Creation and Management: > Can accounts be created and controlled by teachers/schoolboard? > Can student accounts be modified by the students? What can they change? > Can users delete their accounts independently, or is contacting support > necessary for account deletion? Is data retained even after an account is > closed and for how long? > Is it possible to sign in and sign up using SSO? > Does the user authentication process include MFA? Not relevant as there are no accounts. > Data Storage and Infrastructure: > Where is the data stored? (e.g., AWS, Azure, local server) > What is the physical location of the server? (Canada, US, UK, other) > How is data secured both in transit and at rest? What encryption standards are > applied? The only data stored are your input files and the produced output files, both of which are stored whereever the user places them. > Data Sharing and Privacy: > Do you sell user data to third parties? > Is user data shared with any third parties? If so, for what purposes? > Are there advertisements on the platform? > What is the minimum age requirement for users of the app? As no data is collected no data will be shared or sold. Lilypond is by necessity and conviction avertisement-free (if it wasn’t the project would required a legal form that allows it to make money, even if developers wanted to put in ads, which is not going to happen). There is no minimum age to use Lilypond. > Compliance: > Are you compliant with any recognized standards or frameworks (e.g. SOC1, SOC2, > MFIPPA, BILL 194, GDPR, CCPA, COPPA, etc.)? Not relevant, since no data is collected. I hope this has helped you answer your questions. Kind regards, Valentin Petzel
signature.asc
Description: This is a digitally signed message part.
