Initial Publication Date: June 23, 2026
DOI | Cite this

EvaluateUR – Privacy and Data Security Statement

Offered by the Science Education Resource Center (SERC) at Carleton College

Effective: 6/23/2026

About this Statement

This Privacy and Data Security Statement (the "Statement") describes how the Science Education Resource Center ("SERC"), an office of Carleton College ("Carleton"), collects, uses, protects, retains, and shares information in connection with the EvaluateUR assessment program and its related variants (EvaluateUR-CURE, EvaluateUR-Internship, and Evaluate-Compete), collectively the "Service".

EvaluateUR is offered to colleges, universities, government laboratories, and other organizations (each, a "Subscriber") that run undergraduate research programs and that wish to evaluate the impact of those programs on the participating students. This Statement is specific to the Service. It supplements, and where it conflicts it controls over, the general SERC Privacy Statement, which addresses the broader collection of SERC-hosted websites.

This Statement is also incorporated by reference into the EvaluateUR Terms of Service. Capitalized terms used but not defined here have the meanings given to them in those Terms.

1. Scope and Who is Covered

This Statement applies to information collected through the EvaluateUR dashboard, online assessment forms, and supporting account pages hosted within the SERC content-management system known as Serckit, as well as to communications (such as program-status emails) that the Service sends to participants. It applies to four categories of people:

  • Site Administrators — the individuals designated by a Subscriber to administer a program dashboard.
  • Students — the undergraduate (or, where applicable, graduate) research participants whose assessments are recorded in the Service.
  • Mentors — the faculty, staff, or other mentors who, depending on the EvaluateUR variant in use, complete assessments about students.
  • Subscriber contacts — the individuals at a prospective or current Subscriber who interact with SERC about subscription, billing, or support.

This Statement does not apply to the broader serc.carleton.edu public website, which is addressed by the SERC Privacy Statement, or to third-party websites that link to or from the Service.

2. Information We Collect

In the course of operating the Service, SERC collects the following categories of information:

  • Account information. Name, role (administrator, mentor, or student), institutional affiliation, email address, and account credentials for users who register to use a program dashboard.
  • Program information. Information that the Site Administrator provides to set up a program (program name, start and end dates, expected number of students, payment method) and the student–mentor pairings the Site Administrator enters into the dashboard.
  • Assessment responses. Numeric scores, written reflections, and other responses that students and (depending on the variant) mentors submit through the initial, mid-, and end-of-research assessments.
  • Service-generated information. Time-stamps showing when assessments were completed, dashboard summaries and statistics, and the operational logs needed to deliver assessment notifications and to troubleshoot.
  • Authentication and session data. Information generated by the login process, including cookies used to maintain a signed-in session (see Section 9).
  • Subscription and billing information. For paid subscriptions, the Subscriber's billing contact, address, and chosen payment method. Where payment is made by credit card, the card data is transmitted directly to Carleton's payment processor (see Section 7); SERC does not retain payment-card numbers.
  • Communications. Email correspondence between Subscribers, Site Administrators, students, mentors, and SERC staff regarding the use, administration, or support of the Service.

Together, the account, program, assessment, and service-generated information that flows through a Subscriber's dashboard is referred to in this Statement as "Subscriber Data".

3. How We Use Information

Consistent with the long-standing SERC practice of using information only in ways consistent with the purpose for which it was provided, SERC uses the information described above to:

  • provide the Service to the Subscriber, including authenticating users, displaying dashboards, delivering assessment forms, sending program-status emails, and producing the summary statistics that the Site Administrator uses to evaluate the program;
  • support the Subscriber and respond to questions from the Site Administrator, students, or mentors about the program or the Service;
  • maintain the security, integrity, and reliability of the Service, including by detecting, investigating, and responding to incidents;
  • process subscription payments and maintain related billing records as required for Carleton's accounting and tax purposes; and
  • comply with applicable law.

SERC does not sell Subscriber Data. SERC does not use Subscriber Data for advertising. SERC does not use Subscriber Data to train artificial-intelligence or machine-learning models. SERC does not use Subscriber Data for any systematic investigation designed to contribute to generalizable knowledge; any such research use by a Subscriber must be authorized in advance by the Subscriber's institutional review board (IRB) where required by the Subscriber's policies and applicable law. See https://serc.carleton.edu/evaluateur/method/security_irb.html.

SERC may produce aggregated and de-identified statistics about Service usage — for example, the number of programs, students, and completed assessments across all Subscribers in a given period. SERC may use such aggregated and de-identified information for operating, evaluating, and improving the Service and for reporting on the SERC office's grant-funded activities (including to the National Science Foundation under Grants No. 1347681 and 1347727), provided the information cannot reasonably be used to identify any Subscriber, individual, or specific program.

4. Privacy, FERPA, and Use of Education Records

SERC recognizes that, where the Subscriber is an educational agency or institution subject to the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99 ("FERPA"), Subscriber Data may include personally identifiable information from education records of the Subscriber's students.

With respect to such information, the Subscriber designates Carleton (acting through SERC) as a "school official" with a "legitimate educational interest" in the relevant education records under 34 C.F.R. §§ 99.31(a)(1)(i)(B) and 99.31(a)(1)(ii). In that capacity, Carleton agrees:

  • Performance of an institutional service. Carleton performs an institutional service or function (program assessment and dashboard hosting) for which the Subscriber would otherwise use its own employees.
  • Direct control. Carleton is under the direct control of the Subscriber with respect to the use and maintenance of education records contained in Subscriber Data. The Subscriber's designated Site Administrator may instruct Carleton to correct, export, return, or delete Subscriber Data at any time.
  • Purpose limitation. Carleton will use education records contained in Subscriber Data only to provide and support the Service to the Subscriber, and not for any other purpose.
  • No redisclosure. Carleton will not disclose education records contained in Subscriber Data to any third party except as expressly authorized in writing by the Subscriber, as necessary to the subprocessors identified in Section 6 to operate the Service (which are bound by confidentiality obligations consistent with this Statement and the Terms of Service), or as required by law. Carleton will comply with the redisclosure limitations of 34 C.F.R. § 99.33.
  • Access by SERC personnel. Access to Subscriber Data by Jill Singer (EvaluateUR Director) and SERC staff at Carleton College is limited to what is reasonably necessary to support the Subscriber's administration of its program (for example, troubleshooting). SERC does not otherwise access or make use of Subscriber Data.
  • Research use. Carleton will not use Subscriber Data for any systematic investigation designed to contribute to generalizable knowledge. A Subscriber that wishes to make such a research use must first obtain approval from its institutional review board where required by its own institutional policies and applicable law.

To the extent the Subscriber is subject to other applicable privacy or data-protection laws, the Subscriber is the controller of Subscriber Data and Carleton acts as a service provider or processor on the Subscriber's behalf. The parties will cooperate in good faith to execute any reasonable data processing addendum that the Subscriber may require, subject to mutually agreeable terms.

5. Data Security

Carleton maintains administrative, technical, and physical safeguards designed to protect Subscriber Data against unauthorized access, use, alteration, and disclosure. Without limiting the foregoing, the security measures applicable to the Service include:

  • Hosting. Subscriber Data is stored in server facilities operated by Amazon Web Services ("AWS") in the United States. AWS's data-center physical-security and operational controls are described in publicly available AWS security documentation.
  • Encryption in transit. All connections to the Service are made over encrypted network connections using Transport Layer Security (TLS).
  • Encryption at rest. Subscriber Data is stored, in both the primary database and in backups, in encrypted form.
  • Access controls. Application-level access to Subscriber Data is mediated by Serckit's authentication and authorization system. Students may view their own and their assigned mentor's assessment responses; mentors may view their own and their assigned student's assessment responses; the Subscriber's Site Administrator has access to the Subscriber's full program data; SERC system administrators have access to underlying servers, via private-key authenticated SSH, only as needed to maintain the system.
  • Monitoring and updates. Serckit has been in continuous operation since 2002 and is actively maintained, with security patches applied as part of routine operations.
  • Incident notification. In the event Carleton becomes aware of a confirmed breach of security leading to the unauthorized acquisition of, access to, or use or disclosure of Subscriber Data, Carleton will notify the Site Administrator without undue delay, will provide reasonably available information about the incident, and will cooperate with the Subscriber in any response and notifications that the Subscriber determines are required by law.

6. Subprocessors

Carleton uses the following categories of third-party service providers ("Subprocessors") to operate the Service:

  • Cloud infrastructure: Amazon Web Services, Inc., for compute, storage, and database hosting in the United States.
  • Payment processing: Carleton College's payment processor, used solely to collect subscription fees from Subscribers that elect to pay by credit card. The payment processor receives only the information needed to complete the transaction; Subscriber Data submitted through the Service is not transmitted to the payment processor.
  • Transactional email: Standard email services used to deliver account, assessment, and program notifications to the Site Administrator, students, and mentors.
  • Web analytics: Google Analytics (provided by Google LLC), used to understand aggregate use of the Service. See Section 8 below for what information Google Analytics receives and how to opt out.

Carleton remains responsible for the acts and omissions of its Subprocessors with respect to the obligations under this Statement and the Terms of Service to the same extent as if those acts or omissions were Carleton's own. Carleton will provide reasonable advance notice (by updating this Section or by direct notice to the Site Administrator) of any material change to its Subprocessors.

7. Data Retention, Export, and Deletion

Subscriber Data associated with a student–mentor pair is retained in the Service for one year from the date the pair begins the EvaluateUR process. After that one-year period, the data is removed from Serckit and is no longer available to Carleton or to the Subscriber through the Service. The Site Administrator may export Subscriber Data through the dashboard at any time during the retention period and is responsible for retaining any copies the Subscriber needs for its own evaluation purposes.

Upon written request from the Site Administrator, Carleton will, within a reasonable period (and in any event within 60 days), return or delete Subscriber Data in its possession, subject to retention required by law and to retention in routine backups that are subject to scheduled overwrite.

Account and billing records associated with a Subscriber may be retained for longer than one year to the extent necessary for Carleton's accounting, tax, and audit purposes.

8. Cookies, Authentication, and Web Analytics

The Service uses cookies that are necessary to operate the dashboard and assessment forms, and uses Google Analytics to understand aggregate site usage. Specifically:

  • Session cookies. When a Site Administrator, mentor, or student signs in to the Service, the Serckit platform sets a first-party cookie that keeps the user signed in for the duration of the session. This cookie is required for the Service to function; disabling it will prevent use of the Service.
  • Account cookie. Users with a SERC account may have a longer-lived first-party cookie that records the signed-in state, consistent with the practice described in the SERC Privacy Statement.
  • Google Analytics. The Service uses Google Analytics to help SERC understand which pages within the Service are used and how the Service is performing in aggregate. Google Analytics receives standard web-analytics information about each page request — such as the page URL, browser and device type, approximate geographic location derived from IP address, and time of access — through a first-party cookie set by the Service. Google Analytics does not receive assessment responses, written reflections, mentor comments, or other Subscriber Data, and Carleton has not enabled Google Analytics's advertising or audience-sharing features. Carleton uses Google Analytics output only in aggregate and does not attempt to use it to identify the activity of individual users. For more information about Google Analytics and to install a browser opt-out, see the Google Analytics Privacy page and the Google Analytics Opt-out Browser Add-on.

Beyond the items listed above, the authenticated EvaluateUR dashboard, assessment forms, and account pages are not instrumented with AddThis, social-sharing widgets, advertising networks, or other third-party trackers, and Subscriber Data is not exposed to any third-party service except as described in Section 6.

9. Rights of Subscribers, Students, and Mentors

Because EvaluateUR operates under the Subscriber's direction with respect to education records, requests by individual students or mentors to access, correct, or delete their information should be directed in the first instance to the Subscriber's Site Administrator. The Site Administrator can use the dashboard to view and, where appropriate, edit or delete a particular student or mentor's information, and may instruct SERC to take any further action that the Subscriber determines is appropriate. SERC will assist the Site Administrator in giving effect to such requests.

A student or mentor who is unable to reach their Site Administrator and who has a privacy question or concern may contact SERC directly using the contact information in Section 12. SERC will respond and, where appropriate, coordinate with the Subscriber.

10. Children's Privacy

EvaluateUR is designed for use by undergraduate and graduate research programs and is not directed to children under 13 years of age. SERC does not knowingly collect information from children under 13 through the Service. If you believe a child under 13 has provided information through the Service, please contact SERC using the contact information in Section 12 so the information can be reviewed and, where appropriate, deleted.

11. Changes to this Statement

SERC may update this Statement from time to time to reflect changes to the Service, to Subprocessors, or to applicable law. The "Effective" date at the top of this Statement indicates when it was last revised. Material changes will be communicated to Site Administrators of current Subscribers by email at least thirty (30) days before they take effect, and prior versions will be available on request. Continued use of the Service after a change to this Statement takes effect constitutes acceptance of the revised Statement.

12. Contact

Questions about this Statement, about how SERC handles Subscriber Data, or about privacy and data security in the Service may be directed to:

Sean Fox
Carleton College, One North College Street, Northfield, MN 55057
Email: sfox@carleton.edu
Phone: (507) 222-4365
Web: https://serc.carleton.edu/evaluateur/contact_us.html