Privacy Evaluation Questions, without Legal Citations

These questions provide the foundation of our evaluation process. You are currently reading the full question set without any of the supporting legal citations.

Triage

1: Observation

  • 0.1.1: Are the policies for the specific service available (and not, for example, for the public-facing website)?
  • 0.1.2: Do Android or iOS app privacy policies link to the same privacy policy URL location as the home page policy?
  • 0.1.3: Do the homepage, login page, or pages accessed while logged in use encryption with HTTPS?
  • 0.1.4: Do the homepage, login page, or pages accessed while logged in force encryption back to HTTPS if changed to HTTP?
  • 0.1.5: Does the application or service use trackers on its homepage, registration page, or while a user is logged-in?

2: Policy Available

  • 0.2.1: Are hyperlinks to the vendor's policies available on the homepage and labeled Privacy Policy or Terms of Use?
  • 0.2.2: Are the policies available in a human and machine readable format that is accessible on the web, mobile devices, screen readers or assistive technologies?
  • 0.2.3: Do the policies allow machine crawling or indexing?
  • 0.2.4: Are the policies available on all product purchase or acquisition web pages?
  • 0.2.5: Are the policies available on a new account registration webpage for review prior to a user creating a new account with the service or application?

3: Account Type

  • 0.3.1: Can you create a free sample account with the application or service?
  • 0.3.2: Does the application or service require the purchase of hardware or a School access code to create an account?
  • 0.3.3: Does the application or service offer a seperate paid version or In-App-Purchases?

4: Policy Errors

  • 0.4.1: Do the policies contain structural or typographical errors?

1: Transparency

1.1: Policy Version

  • 1.1.1: Do the policies clearly indicate the version or effective date of the policies?
  • 1.1.2: Do the policies clearly indicate a changelog or past versions of the policies are available for review?

1.2: Policy Coverage

  • 1.2.1: Do the policies clearly indicate the websites, services, or mobile applications that are covered by the policies?

1.3: Policy Changes

  • 1.3.1: Do the policies clearly indicate whether or not any updates or material changes to the policies will be accessible for review by a user prior to the new changes being effective?
  • 1.3.2: Do the policies clearly indicate whether or not any updates or material changes to the policies are effective immediately and continued use of the application or service indicates consent?

1.4: Policy Notice

  • 1.4.1: Do the policies clearly indicate whether or not a user is notified if there are any material changes to the policies?
  • 1.4.2: Do the policies clearly indicate the method used to notify a user when policies are updated or materially change?
  • 1.4.3: Do the policies clearly indicate the vendor provides prominent notice on the homepage that the website or service uses cookies?

1.5: Policy Contact

  • 1.5.1: Do the policies clearly indicate whether or not a user can contact the vendor about any privacy policy questions, complaints, or material changes to the policies?

1.6: Policy Principles

  • 1.6.1: Do the policies clearly indicate short explanations, layered notices, a table of contents, or privacy principles of the vendor?

1.7: Policy Language

  • 1.7.1: Do the policies clearly indicate they are available in a language other than English?

1.8: Intended Use

  • 1.8.1: Do the policies clearly indicate whether or not the service is intended to be used by children under the age of 13?
  • 1.8.2: Do the policies clearly indicate whether or not the service is intended to be used by teens 13 to 18 years of age?
  • 1.8.3: Do the policies clearly indicate whether or not the service is intended to be used by adults over the age of 18?
  • 1.8.4: Do the policies clearly indicate whether or not the service is intended to be used by parents or guardians?
  • 1.8.5: Do the policies clearly indicate whether or not the service is intended to be used by students in preschool or K-12?
  • 1.8.6: Do the policies clearly indicate whether or not the service is intended to be used by teachers?

2: Focused Collection

2.1: Data Collection

  • 2.1.1: Do the policies clearly indicate whether or not the vendor collects Personally Identifiable Information (PII)?
  • 2.1.2: Do the policies clearly indicate what categories of Personally Identifiable Information are collected by the application or service?
  • 2.1.3: Do the policies clearly indicate whether or not geolocation data are collected?
  • 2.1.4: Do the policies clearly indicate whether or not any biometric data are collected?
  • 2.1.5: Do the policies clearly indicate whether or not any behavioral data are collected?
  • 2.1.6: Do the policies clearly indicate whether or not sensitive personal information is collected?
  • 2.1.7: Do the policies clearly indicate whether or not the application or service collects non-personal information such as a user's persistent identifier, unique device ID, IP address, or other device information?
  • 2.1.8: Do the policies clearly indicate whether or not the vendor collects information on free or reduced lunch status?

2.2: Data Source

  • 2.2.1: Do the policies clearly indicate whether or not the vendor collects personal information or education records from preK-12 students?
  • 2.2.2: Do the policies clearly indicate whether or not the vendor collects personal information online from children under 13 years of age?

2.3: Data Exclusion

  • 2.3.1: Do the policies clearly indicate whether or not the vendor does not collect specific types of data?
  • 2.3.2: Do the policies clearly indicate whether or not the vendor excludes specific types of collected data from coverage under its privacy policy?

2.4: Data Limitation

  • 2.4.1: Do the policies clearly indicate whether or not the vendor limits the collection or use of information to only data that are specifically required for the application or service?

3: Data Sharing

3.1: Data Shared With Third Parties

  • 3.1.1: Do the policies clearly indicate whether or not collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?
  • 3.1.2: Do the policies clearly indicate what categories of information are shared with third parties?

3.2: Data Use by Third Parties

  • 3.2.1: Do the policies clearly indicate the vendor's intention or purpose for sharing a user's personal information with third parties?
  • 3.2.2: Do the policies clearly indicate whether or not collected information is shared with third parties for analytics and tracking purposes?
  • 3.2.3: Do the policies clearly indicate whether or not collected information is shared with third parties for research or product improvement purposes?
  • 3.2.4: Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?

3.3: Data Not Shared With Third Parties

  • 3.3.1: Do the policies clearly indicate whether the vendor specifies the categories of information that will not be shared with third parties?

3.4: Data Sold To Third Parties

  • 3.4.1: Do the policies clearly indicate whether or not a user's personal information is sold or rented to third parties?

3.5: Third-Party Data Acquisition

  • 3.5.1: Do the policies clearly indicate whether or not a user's information is acquired from a third-party by the vendor?

3.6: De-identified or Anonymized Data

  • 3.6.1: Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or de-identified format?
  • 3.6.2: Do the policies clearly indicate whether or not a user's personal information is de-identified with a reasonable level of justified confidence, or the vendor provides links to any information that describes their de-identification process?
  • 3.7.1: Do the policies clearly indicate whether or not outbound links on the site to third-party external websites are age appropriate?

3.8: Third-Party Data Access

  • 3.8.1: Do the policies clearly indicate whether or not a third party is authorized to access a user's information?

3.9: Third-Party Data Collection

  • 3.9.1: Do the policies clearly indicate whether or not a user's personal information is collected by a third party?

3.10: Third-Party Data Misuse

  • 3.10.1: Do the policies clearly indicate whether or not a user's information can be deleted from a third party by the vendor, if found to be misused by the third party?

3.11: Third-Party Service Providers

  • 3.11.1: Do the policies clearly indicate whether or not third-party services are used to support the internal operations of the vendor's application or service?
  • 3.11.2: Do the policies clearly indicate the role of third-party service providers?

3.12: Third-Party Affiliates

  • 3.12.1: Do the policies clearly indicate the categories of third parties, subsidiaries, or affiliates with whom the vendor shares data?

3.13: Third-Party Policies

  • 3.13.1: Do the policies clearly indicate whether a link to a third-party service provider, data processor, partner, or affiliate's privacy policy is available for review?

3.14: Third-Party Data Combination

  • 3.14.1: Do the policies clearly indicate whether or not data collected or maintained by the vendor can be augmented, extended, or combined with data from third party sources?
  • 3.14.2: Do the policies clearly indicate whether or not data shared with third parties can be augmented, extended, or combined with data from additional third party sources?

3.15: Third-Party Authentication

  • 3.15.1: Do the policies clearly indicate whether or not social or federated login is supported to use the service?
  • 3.15.2: Do the policies clearly indicate whether or not the vendor collects information from social or federated login providers?
  • 3.15.3: Do the policies clearly indicate whether or not the vendor shares information with social or federated login providers?

3.16: Third-Party Contractual Obligations

  • 3.16.1: Do the policies clearly indicate whether or not third parties have contractual limits on how they can use personal information that is shared or sold to them?
  • 3.16.2: Do the policies clearly indicate whether or not third parties have contractual limits that prohibit re-identification or combining data with other data sources that are shared or sold to them?

4: Respect for Context

4.1: Data Use

  • 4.1.1: Do the policies clearly indicate whether or not the vendor limits the use of data collected by the application to the educational purpose for which it was collected?
  • 4.1.2: Do the policies clearly indicate the context or purpose in which data are collected?

4.2: Data Classification

  • 4.2.1: Do the policies clearly indicate specific types of personal information (PII, Non-PII, Children's PII, Sensitive information, etc.)?

4.3: User Classification

  • 4.3.1: Do the policies clearly indicate different types or classes of user accounts?

4.4: Data Combination

  • 4.4.1: Do the policies clearly indicate whether or not Personally Identifiable Information (PII) combined with non-PII would be treated as PII?

4.5: Data Notice

  • 4.5.1: Do the policies clearly indicate whether or not notice is provided to a user if the vendor changes the context in which data are collected?

4.6: Data Changes

  • 4.6.1: Do the policies clearly indicate whether or not the vendor will obtain consent if the practices in which data are collected change or are inconsistent with contractual requirements?

4.7: Enforcement Context

  • 4.7.1: Do the policies clearly indicate whether or not the vendor may terminate a user's account if they engage in any prohibited activities?

5: Individual Control

5.1: User Content

  • 5.1.1: Do the policies clearly indicate whether or not a user can create or upload content to the service?
  • 5.1.2: Do the policies clearly indicate whether or not a user's content is stored with the vendor or a third party?
  • 5.2.1: Do the policies clearly indicate whether or not the vendor requests opt-in consent from a user at the time information is collected?

5.3: Data Restriction

  • 5.3.1: Do the policies clearly indicate whether or not the vendor is able to restrict or remove a user's content without notice or consent?

5.4: Data Settings

  • 5.4.1: Do the policies clearly indicate whether or not a user can control the vendor or third party's use of their information through privacy settings?

5.5: Data Disclosure

  • 5.5.1: Do the policies clearly indicate whether or not a user can provide consent or opt-out from disclosure of their data to a third party?
  • 5.5.2: Do the policies clearly indicate whether or not a user can request the vendor to disclose all the personal information or records collected about them or shared with third parties?
  • 5.5.3: Do the policies clearly indicate whether or not in the event a vendor discloses information in response to a government or legal request, if they will contact the affected user, school, parent, or student with notice of the request, so they may choose to seek a protective order or other legal remedy?

5.6: Data Rights

  • 5.6.1: Do the policies clearly indicate whether or not a student, educator, parent, or the school retains ownership to the Intellectual Property rights of the data collected or uploaded to the application or service?

5.7: Data License

  • 5.7.1: Do the policies clearly indicate whether or not the vendor may claim a copyright license to the data or content collected from a user?
  • 5.7.2: Do the policies clearly indicate whether or not the vendor may limit its copyright license of a user's data?
  • 5.7.3: Do the policies clearly indicate whether or not the vendor provides notice to a user if their content is removed or disabled because of a claim it violates the Intellectual Property rights of others?

6: Access and Accuracy

6.1: Data Access

  • 6.1.1: Do the policies clearly indicate whether or not the vendor provides a method to access and review a user's personal information for authorized individuals?
  • 6.1.2: Do the policies clearly indicate whether or not the vendor may restrict access for unauthorized individuals to a user's data?
  • 6.1.3: Do the policies clearly indicate whether or not there is a process available for the school, parents, or eligible students to review student information?

6.2: Data Integrity

  • 6.2.1: Do the policies clearly indicate whether or not the vendor takes steps to maintain the accuracy of data they collect and store?

6.3: Data Correction

  • 6.3.1: Do the policies clearly indicate whether or not the vendor provides the ability to modify a user's inaccurate data for authorized individals?
  • 6.3.2: Do the policies clearly indicate whether or not there is a process for the school, parents, or eligible students to modify inaccurate student information?
  • 6.3.3: Do the policies clearly indicate whether or not the school, parents, or eligible students may submit a request to the vendor to modify a student's inaccurate personal information?
  • 6.3.4: Do the policies clearly indicate how long the vendor has to modify a user's inaccurate data after given notice?

6.4: Data Retention

  • 6.4.1: Do the policies clearly indicate the vendor's data retention policy, including any data sunsets or any time-period after which a user's data will be automatically deleted if they are inactive on the application or service?
  • 6.4.2: Do the policies clearly indicate whether or not the vendor will limit the retention of a user's data unless a valid request to inspect data are made?

6.5: Data Deletion

  • 6.5.1: Do the policies clearly indicate whether or not the vendor will delete a user's personal information when the data are no longer necessary to complete the purpose for which it was collected?
  • 6.5.2: Do the policies clearly indicate whether or not a user's data are deleted upon account cancellation or termination?
  • 6.5.3: Do the policies clearly indicate whether or not a user can delete all of their personal and non-personal information from the vendor?
  • 6.5.4: Do the policies clearly indicate whether or not there is a process for the school, parent, or eligible student to delete a student's personal information?
  • 6.5.5: Do the policies clearly indicate how long the vendor may take to delete a user's data after given notice?

6.6: Data Portability

  • 6.6.1: Do the policies clearly indicate whether or not a user can export or download their data, including any user created content on the application or service?
  • 6.6.2: Do the policies clearly indicate whether or not a user may assign an authorized account manager or legacy contact to access and download their data in the event the account becomes inactive?

7: Data Transfer

7.1: Data Handling

  • 7.1.1: Do the policies clearly indicate whether or not a user's data can be transferred by the vendor in the event of a merger, acquisition, or bankruptcy?
  • 7.1.2: Do the policies clearly indicate whether or not the vendor can assign its rights or delegate its duties under the policies to a third party without notice or consent?
  • 7.2.1: Do the policies clearly indicate whether or not a user will be notified and allowed to provide consent to a data transfer to a third-party successor, in the event of a vendor bankruptcy, merger, or acquisition?

7.3: Transfer Request

  • 7.3.1: Do the policies clearly indicate whether or not a user can request to delete their data prior to its transfer to a third-party successor in the event of a vendor bankruptcy, merger, or acquisition?

7.4: Onward Contractual Obligations

  • 7.4.1: Do the policies clearly indicate whether or not the third-party successor of a data transfer is contractually required to provide the same level of privacy protections as the vendor?

8: Security

8.1: User Identity

  • 8.1.1: Do the policies clearly indicate whether or not a user's identity is verified with personal information collected by the vendor or third party?

8.2: User Account

  • 8.2.1: Do the policies clearly indicate whether or not the vendor requires a user to create an account with a username and password in order to use the Service?
  • 8.2.2: Do the policies clearly indicate whether or not the vendor provides user managed accounts for a parent, teacher, school or district?
  • 8.2.3: Do the policies clearly indicate whether or not the security of a user's account is protected by two-factor authentication?

8.3: Third-party Security

  • 8.3.1: Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the vendor?

8.4: Data Confidentiality

  • 8.4.1: Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?
  • 8.4.2: Do the policies clearly indicate whether or not the vendor implements physical access controls or limits employee access to user information?

8.5: Data Transmission

  • 8.5.1: Do the policies clearly indicate whether or not all data in transit is encrypted?

8.6: Data Storage

  • 8.6.1: Do the policies clearly indicate whether or not all data at rest is encrypted?
  • 8.6.2: Do the policies clearly indicate whether or not personal information are stored outside the direct control of the vendor?

8.7: Data Breach

  • 8.7.1: Do the policies clearly indicate whether or not the vendor provides notice in the event of a data breach to unauthorized individuals?

9: Responsible Use

9.1: Social Interactions

  • 9.1.1: Do the policies clearly indicate whether or not a user can interact with other users, or students can interact with other students in the same classroom, or school?
  • 9.1.2: Do the policies clearly indicate whether or not a user can interact with strangers, including adults?
  • 9.1.3: Do the policies clearly indicate whether or not information must be shared or revealed by a user in order to participate in social interactions?

9.2: Data Visibility

  • 9.2.1: Do the policies clearly indicate whether or not a user's personal information can be displayed publicly in any way?
  • 9.2.2: Do the policies clearly indicate whether or not a user's personal information can be displayed publicly, outside the context of social interactions?
  • 9.2.3: Do the policies clearly indicate whether or not a user has control over how their personal information is displayed to others?

9.3: Report Content

  • 9.3.1: Do the policies clearly indicate whether or not an educator, parent, or a school has the ability to filter or block inappropriate content, or social interactions with unauthorized individuals?
  • 9.3.2: Do the policies clearly indicate whether or not a user can report abuse or cyber-bullying?

9.4: Monitor and Review

  • 9.4.1: Do the policies clearly indicate whether or not user content is reviewed, screened, or monitored by the vendor?
  • 9.4.2: Do the policies clearly indicate whether or not the vendor takes reasonable measures to delete all personal information from a user's postings before they are made publicly visible?
  • 9.4.3: Do the policies clearly indicate whether or not social interactions between users on the website or application are moderated?
  • 9.4.4: Do the policies clearly indicate whether or not social interactions are logged by the vendor?
  • 9.4.5: Do the policies clearly indicate whether or not social interactions may be audited by a school or district?
  • 9.4.6: Do the policies clearly indicate whether or not social interactions may be audited by a parent or guardian?
  • 9.4.7: Do the policies clearly indicate whether or not social interactions may be audited by a user or eligible student?

9.5: Internet Safety

  • 9.5.1: Do the policies clearly indicate whether or not tools and processes that support safe and appropriate social interactions on the application or service are provided by the vendor?

10: Advertising

10.1: Vendor Communications

  • 10.1.1: Do the policies clearly indicate whether or not a user will receive service or administrative related email or text message communications from the vendor or third party?

10.2: Traditional Advertising

  • 10.2.1: Do the policies clearly indicate whether or not traditional advertisements are displayed to a user based on webpage content, but not a user's data?

10.3: Behavioral Advertising

  • 10.3.1: Do the policies clearly indicate whether or not behavioral or contextual advertising based on a student's personal information are displayed?

10.4: Ad Tracking

  • 10.4.1: Do the policies clearly indicate whether or not third-party advertising services or tracking technologies collect any information from a user of the application or service?
  • 10.4.2: Do the policies clearly indicate whether or not a user's information is used to track and target advertisements on other third-party websites or services?
  • 10.4.3: Do the policies clearly indicate whether or not the vendor allows third parties to use a student's data to create a profile, engage in data enhancement, social advertising, or target advertising to students, parents, teachers, or the school?

10.5: Filtered Advertising

  • 10.5.1: Do the policies clearly indicate whether or not advertisements are displayed to children under 13 years of age?
  • 10.5.2: Do the policies clearly indicate whether or not advertisements that are age inappropriate for minors are filtered (e.g., alcohol, gambling, violent, or sexual content)?

10.6: Marketing Communications

  • 10.6.1: Do the policies clearly indicate whether or not the vendor may send marketing emails, text messages, or other related communications that may be of interest to a user?
  • 10.6.2: Do the policies clearly indicate whether or not the vendor allows a user to participate in any sweepstakes, contests, surveys, or other similar promotions?

10.7: Unsubscribe

  • 10.7.1: Do the policies clearly indicate whether or not a user can opt-out of traditional, contextual, or behavioral advertising?
  • 10.7.2: Do the policies clearly indicate whether or not a user can opt-out or unsubscribe from a vendor or third party marketing communication?

10.8: Do Not Track

  • 10.8.1: Do the policies clearly indicate whether or not the vendor responds to a "Do Not Track" signal or other opt-out mechanisms from a user?
  • 10.8.2: Do the policies clearly indicate whether the vendor provides a hyperlink to a description, including the effects, of any program or protocol the vendor follows that offers consumers a choice not to be tracked?

11: Compliance

11.1: Children under 13

  • 11.1.1: Do the policies clearly indicate whether or not the vendor has actual knowledge that personal information from children under 13 years of age is collected by the application or service?
  • 11.1.2: Do the policies clearly indicate whether or not the application or service is directed to children under 13, or (even if for an older audience) would the service appeal to children under 13 years of age?
  • 11.1.3: Do the policies clearly indicate whether or not the vendor describes: (1) what information is collected from children under 13 years of age, (2) how that information is used, and (3) its disclosure practices of that information?
  • 11.1.4: Do the policies clearly indicate whether or not the vendor collects personal information from children under 13 years of age "offline"?
  • 11.1.5: Do the policies clearly indicate whether or not the vendor restricts creating an account for a child under 13 years of age?
  • 11.1.6: Do the policies clearly indicate whether or not the vendor restricts in-app purchases for a child under 13 years of age?
  • 11.1.7: Do the policies clearly indicate whether or not the application or service participates in an FTC approved COPPA safe harbor program?

11.2: Teens 13-18

  • 11.2.1: Do the policies clearly indicate whether or not personal information from teens 13 to 18 years of age are collected?

11.3: Students in K-12

  • 11.3.1: Do the policies clearly indicate whether or not the application or service is primarily used for preschool or K-12 school purposes and was designed and marketed for preschool or K-12 school purposes?
  • 11.3.2: Do the policies clearly indicate the process by which education records are entered into the application or service? For example, are data entered by district staff, school employees, parents, teachers, students, or some other person?
  • 11.3.3: Do the policies clearly indicate whether or not the vendor provides a separate agreement that provides notice to users of their rights, under FERPA?
  • 11.3.4: Do the policies clearly indicate whether or not the vendor is under the direct control of the educational institution and designated a 'school official,' under FERPA?
  • 11.3.5: Do the policies clearly indicate whether or not the vendor discloses student information as 'Directory Information' under a FERPA exception?
  • 11.4.1: Do the policies clearly indicate whether or not 'verifiable parental consent' should be obtained before they collect or disclose personal information?
  • 11.4.2: Do the policies clearly indicate whether or not a parent can consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties?
  • 11.4.3: Do the policies clearly indicate whether or not the vendor responds to a request from a parent or guardian to prevent further collection of their child's information?
  • 11.4.4: Do the policies clearly indicate whether or not the vendor deletes personal information from a student or child under 13 years of age if collected without parental consent?
  • 11.4.5: Do the policies clearly indicate whether or not the vendor provides direct notice to parents of its collection and diclosure practices with method to provide verifiable parental consent, under COPPA?
  • 11.4.6: Do the policies clearly indicate whether or not the vendor can collect and use personal information from children without parental consent to support the 'internal operations' of the vendor's website or service?
  • 11.4.7: Do the policies clearly indicate whether or not the vendor collects personal information from children without verifiable parental consent for the sole purpose of trying to obtain consent under COPPA?
  • 11.4.8: Do the policies clearly indicate whether or not the vendor may disclose personal information without verifiable parental consent under a FERPA exception?
  • 11.4.9: Do the policies clearly indicate whether or not responsibility or liability for obtaining verified parental consent is transferred to the school or district?
  • 11.5.1: Do the policies clearly indicate the vendor's jurisdiction that applies to the construction, interpretation, and enforcement of the policies?
  • 11.5.2: Do the policies clearly indicate whether or not the vendor requires a user to waive the right to a jury trial, or settle any disputes by Alternative Dispute Resolution (ADR)?
  • 11.5.3: Do the policies clearly indicate whether or not the vendor requires waiver of any rights to join a class action lawsuit?
  • 11.5.4: Do the policies clearly indicate whether or not the vendor can use or disclose a user's data under a requirement of applicable law, to comply with a legal process, respond to governmental requests, enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?

11.6: Certification

  • 11.6.1: Do the policies clearly indicate whether or not the vendor has signed any privacy pledges or received any other privacy certifications?

11.7: International Laws

  • 11.7.1: Do the policies clearly indicate whether or not a user's data are subject to International data jurisdiction laws, such as a privacy shield, or a safe harbor framework that protects the cross-border transfer of a user's data?
  • 11.7.2: Do the policies clearly indicate whether or not the vendor provides a Data Protection Officer (DPO) or other contact to ensure GDPR compliance?

11.8: Compliance Assessment

  • 11.8.1: Do the policies clearly indicate whether or not the data privacy or security practices of the vendor are internally or externally audited to ensure compliance?

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.