Vendors A-H

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

PLEASE NOTE: The entities listed below do not comprise a list of “approved DOE vendors” and therefore should not be thought of as such. Some entities listed below may have agreements that have expired or were terminated, but whose information has not yet been moved or removed. Other entities, whose names do not appear below, may have agreements with the DOE, or agreements that are in progress, but their responses are still being processed and have not yet been posted.

Listed in Alphabetical Order:

21st CentEd

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract State Date: February 1, 2022

    Contract End Date: February 1, 2023

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 21stCentEd’s online educational services collects contextual or transactional data as part of its operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). This metadata is not linked to FERPA-protected information.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The 21stCentEd Data Security Plan (DSP) details procedures implemented at the administrative level to protect private information such as training personnel on information handling best practices. The DSP also outlines the physical protections implemented for protecting private information such as ensuring paper records and servers are secured and access-controlled. Lastly, the DSP includes 21stCentEd’s technology-based instruments and procedures used to protect private information such as requiring Common Access Cards for System Access and encrypting computers and emails.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Acadience Learning Inc. (ALI)

  1. Type of Entity: Research Institution or Evaluator
  2. Contract / Agreement Term: ALI does not have a current contract, but has submitted under MTAC # R1121. [NYCDOE Comment: NDA was signed on 6/25/2021]
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose for which ALI will receive/access PII is to provide online assessment and data management services for Acadience assessments and for psychometric and research services which may be called upon by NYC DOE.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Acadience Learning Online (ALO) system follows industry-standard best practices to ensure that all system data, including data containing PII, is secure and protected at all times. Technical security protections include, but are not limited to: encryption of data in transit and at rest, use of US based servers, proactive monitoring of network access, and regular security testing and review of results. ALI takes a proactive stance on mitigating data privacy and security risks by utilizing strong security procedures and protocols. Additionally, ALI upholds rigorous internal policies to ensure that employees with access to data containing PII follow strict procedures related to the handling and management of sensitive information. Employees with access to sensitive information must first complete required training before gaining ALO system access, and system access is limited to employees who need access to the information to complete job duties.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Accelerate Learning Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
    PII is utilized solely for application operations and curriculum interaction by students and teachers. [DOE Comment: For the products STEMscopes, Math Nation]
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations.
    Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Amazon Web Services.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Accelerate Learning (ALI) implements cybersecurity practices and requirements based upon CIS’s well-established Controls and Benchmarks that are compliant with the federal standards in the Federal Information Security Management Act (FISMA) in NIST Special Publication 800-53 Revision 5, published September 2020. We implement authentication, authorization and accounting (AAA) based on these controls following a least privileged model. Additionally, ALI utilizes leading industry tools to monitor, restrict, and secure information resources and sensitive data. The fundamentals of our security operations include:
    • Passwords and Employee Access. Accelerate Learning Inc secures all usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. ALI only provides access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances.
    • Destruction of Data. Accelerate Learning Inc destroys or deletes all Student Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained.
    • Security Protocols. Accelerate Learning Inc utilizes security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so.
    • Employee Training. Accelerate Learning Inc conducts periodic security training to those of its employees who operate or have access to the system.
    • Security Technology. When the service is accessed using a supported web browser, Accelerate Learning Inc employs industry standard measures to protect data from unauthorized access. The security measures include firewalls, deep packet inspection, application stream analysis, restrictive load balancing, network segmentation, network ACLs, data transit encryption utilizing TLS 1.2 with 2048-bit certificates, data at rest encryption utilizing 256-bit AES encryption, log aggregation and analysis, vulnerability management and remediation process, application authentication, server authentication and administrative authentication following least privileged access.
    • Periodic Risk Assessment. Accelerate Learning Inc conducts regular digital and physical risk assessments and remediates any identified security and privacy vulnerabilities in a timely manner.

    We adhere to the following standards, laws, and certifications:
    • NIST Cybersecurity Framework v.1.1
    • NIST SP 800-53 Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), SP 800-171
    • ISO 27000 Series
    • Center for Internet Security (CIS) Critical Security Controls (top 20)
    • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
    • Children's Online Privacy Protection Act (COPPA)
    • Protection of Pupil Rights Amendment (PPRA)
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Achievement Network

1. The exclusive purposes for which Protected Information will be usedThe information collected is first used to enable access to ANet’s online platform, myANet, which provides resources and reports for District and Schools leaders. These data also allow ANet coaches and school leaders to understand student performance on interim assessments administered. These learnings then enable ANet to provide the appropriate guidance and best practices to boost student learning. Additionally, we also occasionally use anonymized, aggregated student response data to inform our own internal analyses of the efficacy of our services and tools.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: ANet and our partners are considered to be a “School Official” under FERPA. Access to data reports that include more granular student data can only be accessed through our secure data reporting platform. Any individual or non-aggregated student data is available only to that student's school leaders and teachers, not to other educators in the network.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: ANet typically retains all data collected. In the event that a partnership with ANet is concluded, user access to the myANet platform will be terminated on a mutually agreed upon date. This ensures that the data collected for that partner is no longer available to other schools within the district that utilize the platform.

[NYC DOE comment: The current agreement became effective starting on December 20, 2019 and terminates when all NYC DOE schools and/or offices cease using The Achievement Network’s products/services. The terms of the agreement remain effective through the period during which The Achievement Network possesses or otherwise is in control of covered protected information.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Our data and servers are part of AWS and are housed in US-based AWS data centers. https://aws.amazon.com/compliance/data-center/controls/. At our offices we do not have any servers.

6. How the data will be encrypted (described in such a manner as to protect data security): 

- Applications communicate with RDS databases within a secure Virtual Private Cloud (VPC) via Transport Layer

Security version (TLS) 1.0 and 1.2.

- AWS RDS encryption at rest with KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate

AES-GCM 256-bit keys.

Actively Learn Inc

1. The exclusive purposes for which Protected Information will be used: Actively Learn uses Protected Information solely to provide the Actively Learn educational service to NYC students, teachers, and schools.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We will carefully review sub-processor privacy agreements and terms of service to ensure that they abide by the data protection and security requirements required by our NDA with the NYC DOE.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon written request from NYC DOE, we can delete or de-identify NYC data in our platform. 
[NYC DOE comment: The current agreement became effective starting on March 20, 2020 and terminates when all NYC DOE schools and/or offices cease using Actively Learn Inc’s products/services. The terms of the agreement remain effective through the period during which Actively Learn Inc possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All Protected Information is stored in the US (AWS us-east-1 and us-west-2 datacenters). Data is encrypted both at rest and in transit. Actively Learn employees with access to Protected Information access it via a browser over SSL (support staff) or directly over a password-protected private-key SSH tunneled. Connection to our platform database (engineering staff).
6. How the data will be encrypted (described in such a manner as to protect data security): Platform data is encrypted at rest using AES-256-GCM encryption provided by AWS’s Aurora managed clustered database service and AWS’s Key Management Services (KMS), Platform data is encrypted in transit between the database and our platform via SSL. 

Adobe

The exclusive purposes for which Protected Information will be used:

The NYCBOE uses Adobe products and services for its students in the K-12 school environment. Protected information (as defined in the Additional Terms) will be provided to Adobe and used by Adobe for the purposes of providing such student services to the NYCBOE and its students under the agreement between Adobe an NYCBOE. [NYC comment: Adobe refers to the New York City Department of Education as NYCBOE throughout the agreement.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

In the event that Adobe engages subcontractors or other authorized representatives to perform one or more of its obligations under the agreement, it will require those to whom it discloses protected information to be subject to contractual data protection terms at least as restrictive as those set forth in the agreement, and those subcontractors or other authorized representatives shall have a legitimate need to access protected information in connection with their responsibilities in providing services to Adobe.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

The initial term of the agreement with the NYCBOE will be thirty-six (36) months from the effective date. Upon expiration of the additional terms without renewal, or upon termination of the additional terms prior to expiration or termination of a student account, Adobe will adhere to the student data retention and deletion protocols agreed to with the NYCBOE and set forth in Seton 5.4 of the Additional Terms of the Agreement. [NYCDOE comment: the Agreement was signed and put into effect on February 28, 2022.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to Section 6.3 of the Additional Terms, Adobe will work with the NYCBOE to process requests for copies of, and challenges to the accuracy of, protected information in the custody or control of Adobe. Such requests should be directed to the NYCBOE at studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

Any protected information Adobe receives will be stored on systems in a secure data center facility. Adobe processes and stores information in the U.S. and other regions, which made include Europe and Japan. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

How the data will be encrypted (described in such a manner as to protect data security):

Adobe uses technologies, safeguards and practices, including, but not limited to, encryption, firewalls, password protection, and/or equivalent that are consistent with its industry standards. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

Agile Mind

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: [NYCDOE Comment: NDA was signed on 7/12/2021]
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Agile Mind provides comprehensive math and science programs for middle and high schools. To that end we store a student’s name, school, grade level and DOE assigned login ID– all nonsensitive PII.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data (not just PII) is stored in a highly secure fashion. Data is protected using encryption while in motion and at rest by serving all data via HTTPS and storing it in a secure manner. For storage specifically, all data is stored by MySQL Data at Rest Encryption. The security of this data is ensured by limited employee electronic access to production databases, and databases are housed in a secure data center with physical security and a named access list for visitors.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Amplify Education, Inc. 

1. The exclusive purposes for which Protected Information will be used: PISI will be used in accordance with Section 2 above.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Recipient will share Confidential Information in accordance with Section 4 above.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Recipient shall treat PISI in accordance with Section 7 above.
[NYC DOE comment: The current agreement became effective starting on August 20, 2019 and terminates when all NYC DOE schools and/or offices cease using Amplify Education, Inc.’s products/services. The terms of the agreement remain effective through the period during which Amplify Education, Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: The Recipient shall notify the BOE of any such challenges in accordance with Section 5 above.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be stored only in the United States. Recipient will follow the Security precautions as described in Attachment B.
6. How the data will be encrypted (described in such a manner as to protect data security): As described in Attachment B, Recipient follows NIST guidelines and industry best practices in data encryption.
• In transit: Recipient encrypts all student personal information in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard ciphers, algorithms, and key sizes.
• At rest: Recipient encrypts student personal information at rest using the industry standard AES-256 encryption algorithm.

Aperture Education, LLC

1. Name of Entity 

  • Aperture Education, LLC

2. Type of Entity

  • Commercial Enterprise

3. Contract / Agreement Term

  • Contract Start Date: July 1, 2021
  • Contract End Date: June 30, 2024

4. Description of the exclusive purpose(s) for which Entity will receive/access PII

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

  • Aperture will use PII to administer student social and emotional assessments to be completed by students, teachers and (optionally) parents. PII will also be used in reporting (e.g., to disaggregate data by subgroup).

5. Type of PII that the Entity will receive/access

  • Student PII

6. Subcontractor Written Agreement Requirement

In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations.

  • The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

7. Data Transition and Secure Destruction

  • Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII

8. Challenges to Data Accuracy

In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  • The entity agrees to follow the procedure outlined above.

9. Security and Storage Protections

Describe where PII will be stored or hosted:

  • Using a cloud or infrastructure owned tool hosted by a subcontractor

10. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. (Please do so in a manner that ensures that disclosure of the description on NYC DOE’s website will not compromise the security of the data or the Entity’s security practices and protocols):

  • Aperture Education considers security of PII to be of utmost importance. As such, we follow a rigorous security policy which includes, but is not limited to, third party penetration and security testing, annual security training of all of our employees, completion of background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role. Please see our security policy for more information.

11. Encryption

Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

  • Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Applied Curiosity Research, LLC

  1. Type of Entity: Research Institution or Evaluator
  2. Contract / Agreement Term:
    Contract Start Date: 2/1/ 2022
    Contract End Date: 1/31/2027
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are conducting a mixed-methods, implementation evaluation of a pilot program with students from two NYC schools. The pilot program occurs for five weeks over the summer and consists of a blend of classroom instruction from DOE teachers and community-based organizations as well as work-based learning. The focus of the pilot program is promoting computer science skills and knowledge while exposing students to careers in related fields. Research participants include participating students, teachers, and select agency stakeholders. The goals of the evaluation are to collect evidence of student outcomes, understand barriers and affordances to program implementation, assess the extent to which activities are completed as intended, identify best practices, and inform effective scaling of the program.

    Methods include student pre/post surveys administered in class, student focus groups, teacher in-depth interviews, and in-depth interviews with key stakeholders.

    The only PII we will collect is student and teacher names during the consent process. Consent is critical to ensure participants understand their rights as a research participant, including that the research is voluntary and how their information will be handled. Consent is also a mandatory requirement for NYC DOE IRB.
  4. Type of PII that the Entity will receive/access: Student PII. We may collect student, parent, or teacher names on consent forms. We may also collect student names for the purpose of focus group attendance lists. We will not, however collect student names that are attached to any academic or demographic data.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. The Entity selected “Other: We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.

    Any PII will be kept secure and only used for study purposes, except as otherwise required by law. The study team will not disclose participant’s names or any personally identifiable information in any report or presentation.

    De-identified consent forms, audio files, notes, survey data, and transcripts will be stored on a password-protected, encrypted cloud storage system accessible only by the project team.

    After three years, we will delete and overwrite copies of all data and also wipe all blank space on the external hard drive to ensure there are no elements of the files retained on the drive.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Attainment Company

The exclusive purposes for which Protected Information will be used:

Products provided include AAC applications & devices for student communication needs; student & teacher instructional applications/software for special education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Attainment provides industry standard data protection and security; annually authorized staff are trained on the appropriate requirements of FERPA, COPPA & SOPPA. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Protected information is returned to the district & after 30 days purged from Attainment systems. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All data is stored in the US with AWS certified protected industry standard practices.

How the data will be encrypted (described in such a manner as to protect data security):

The transmission is controlled using TLS (Transport Layer Security) encryption for the browser to database connection. The data is encrypted between the client computer and Attainment’s servers. The Hub uses HTTPS (Hypertext Transfer Protocol Secure) over a secure SSL.

Beam Center

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: July 15, 2022
    Contract End Date: July 14, 2027
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beam Center school partnerships combine both professional learning opportunities for teachers with a wide range of direct services for students. Professional learning and DSS are woven together in a way that reaches students immediately and builds long-lasting skills for teachers.
    • IN-SCHOOL PROJECTS
      • Fundamentals Projects are projects designed by Beam Center staff with the purpose of introducing students and teachers to basic skills in one or more making disciplines such as woodworking, programming, electronics, and digital fabrication skills.
      • In-Class Collaborative Projects are co-designed by teachers from our 29 partner schools and Beam Center Project Designers for implementation in classrooms.
    • PROFESSIONAL DEVELOPMENT
      • Custom Project Development is a professional learning opportunity for teachers and administrators from Beam Center’s 29 partner schools. In this program, Beam Center Project Designers introduce educators to our practice of hands-on project design as well as various technical making disciplines. With guidance from our staff, teachers collaborate to design a custom project for their classroom that is aligned to the learning goals, standards, and/or curriculum that educators are working with in their classrooms. Educators produce project plans, materials lists, and day-by-day schedules for the collaborative projects that they design. Participants in this program spend 12-18 hours total on this process; these hours are eligible for CTLE requirements.
    • Beam Center receives Student PII (names only) for the purposes of invoicing schools. We receive Teacher PII (names only) for the purposes of PD attendance sheet and for certifying CTLE credit.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beam Center currently stores all student digital information (name, phone number, email address) on Google Suite documents that are accessible by only a restricted number of personnel directly responsible for managing the program covered by this contract, trained on DOE’s and Beam Center’s privacy and security policies and protected by secure passwords that are updated every 90 days. Beam Center does not collect student Social Security Numbers or OSIS numbers. If a school inadvertently shares OSIS numbers with Beam Center the documents are shredded or hard-deleted from digital storage. At this time, Beam Center uses no proprietary or in-house developed software applications or databases to manage participant data and if ever should do so, it will be developed to meet industry standards and best practices for security and privacy.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Big Ideas Learning, LLC

1. The exclusive purposes for which Protected Information will be used: We store and process your personal information to authenticate your user's license and to grant you access to the applicable materials. We also use information we collect to analyze trends, to administer the site, and to track users' movements around the site. We also use this information to improve the site and to make it more useful to visitors.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We contractually bind any subcontractors with access to Protected Data to the same rules we must follow.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We will delete the Protected Information within 90 days of agreement expiration.
[NYC DOE comment: The current agreement became effective starting on November 25, 2020 and terminates when all NYC DOE schools and/or offices cease using Big Ideas Learning, LLC’s products/services. The terms of the agreement remain effective through the period during which Big Ideas Learning, LLC possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Physical safeguards are conducted by Big Ideas Learning's contracted server hosting company,
Rackspace. PDF certificates for data center infrastructure [redacted] are available upon request. Technical safeguards include (1) encrypting district data in transit and at rest using SSL (Secure Sockets Layer), (2) PII database encryption, and (3) deploying Sophos anti-virus protection and Fail 2 Ban intrusion detection. Data is stored in the United States. 
6. How the data will be encrypted (described in such a manner as to protect data security): User data tables are encrypted at rest and in transit. See answer 5 for more information.

CAMBA, Inc (Community Schools Program)

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: July 1, 2022
    Contract End Date: June 30, 2024
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAMBA engages in joint review of student data, both personal and academic, with both NYC DOE and CAMBA staff who work with our students. The Community Schools Program utilizes data monitoring tools and surveys created by DOE and CAMBA’s Data, Assessment, Research and Evaluations (DARE) department to track student attendance and progress. The results from these data monitoring tools and surveys provide the Learning to Work program, Principal, and school administration with the information necessary to create goals and establish areas of focus. Qualitative data is essential to our understanding of what is working well and what needs improvement.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Upon expiration or termination of the contract for any reason, CAMBA shall return or destroy all PII received from DOE or created by CAMBA on behalf of DOE and certify in writing to such return or destruction. This provision shall apply to PII that is in the possession of CAMBA’s subcontractors. CAMBA shall retain no copies of the PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally hosted solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s policies are designed to ensure that client information is protected. All client files are maintained in locked filing cabinets in the program offices. Access to client files and information is limited to staff with a need to have such access. Electronic information is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permissions can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law. Our database management systems supports the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and CAMBA confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Learning to Work Program)

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: July 1, 2021
    Contract End Date: June 30, 2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAMBA engages in joint review of student data, both personal and academic, with both NYC DOE and CAMBA staff who work with our students. The Learning to Work Program [at a Transfer School at Brooklyn Academy and for Young Adult Borough Centers (YABC) at Franklin K. Lane] utilizes data monitoring tools and surveys created by DOE and CAMBA’s Data, Assessment, Research and Evaluations (DARE) department to track student attendance and progress. The results from these data monitoring tools and surveys provide the Learning to Work program, Principal, and school administration with the information necessary to create goals and establish areas of focus. Qualitative data is essential to our understanding of what is working well and what needs improvement.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Upon expiration or termination of the contract for any reason, CAMBA shall return or destroy all PII received from DOE or created by CAMBA on behalf of DOE and certify in writing to such return or destruction. This provision shall apply to PII that is in the possession of CAMBA’s subcontractors. CAMBA shall retain no copies of the PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally hosted solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s policies are designed to ensure that client information is protected. All client files are maintained in locked filing cabinets in the program offices. Access to client files and information is limited to staff with a need to have such access. Electronic information is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permissions can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law. Our database management systems supports the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and CAMBA confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareerSafe, LLC

The exclusive purposes for which Protected Information will be used:

Student name and course completion information is used to process course completion wallet card from the U.S. Department of Labor, OSHA.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

As an OSHA-Authorized Provider, CareerSafe is required to provide student data to OSHA. We are contractually obligated to provide student name and course completion information to OSHA for the purpose of providing students with an OSHA completion card. OSHA, as part of the U.S. Department of Labor, complies with Federal data security standards. No student data is shared with any other organization or individual. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Student completion records will be maintained for five years, after which, CareerSafe will destroy and delete all the data in its entirety in the manner that prevents its physical reconstruction. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

In accordance with their contract, CareerSafe will work with the NYC DOE in processing challenges to the accuracy of student data in CareerSafe’s custody. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All at rest data is FIPS 140-2 compliant / certified process used to encrypt the student data while at rest on the application database. Student data is stored in/on an application database, located in the Amazon Web Services hosting facilities. The back-up data is presently stored on site in a secured storage unit. No data is store outside of the US. All data is fully encrypted to an AES 256 bit standard at rest and while in transit. All network devices and storage units are restricted to only be access by administrators. 

How the data will be encrypted (described in such a manner as to protect data security):

All data is fully encrypted to an AES 256 bit standard at rest and while in transit.

CareMonkey Inc. 

1. The exclusive purposes for which Protected Information will be used: CareMonkey is used by schools to send consent and other school forms and collect responses from parents/guardians and/or staff members. It is also used for internal approval processing such as a field trip being approved. PISI is used to know who to send notifications to, e.g., an email notification to a parent to tell them there is a new consent form they need to sign, or an email notification to a school principal informing them there is a field trip to approve. The system uses basic information about students, parent contacts, classes (roster) and staff so that forms can be delivered to the right people or parents of a class.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: • Note, we have no sub-contractors. Our support services are provided by our own team.
• CareMonkey follows the principle of “Least Privileged Access” whereby user accounts are provided the most restrictive access necessary to perform the required business function.
• Access to data is restricted depending on job roles and all access is tracked.
• As part of our Information Security Program we maintain a systems access register.
• Access to sensitive data is restricted to those few with a need to know and must be approved by management.
• Access accounts have username and passwords with Two Factor Authentication (2FA).
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The NDA will apply for each school upon signing up to CareMonkey.
The NDA will end for each school when they close their CareMonkey account.
Schools can close their account and delete their data at anytime. The data is immediately no longer available after deletion. Backups are retained for three years.
Note that after closing their accounts schools can choose to retain their data in archive only mode for as long as required.
[NYC DOE comment: The current agreement became effective starting on August 6, 2019 and terminates when all NYC DOE schools and/or offices cease using CareMonkey Inc’s products/services. The terms of the agreement remain effective through the period during which CareMonkey Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. However, please note, that the data is entered by the parent (re parent forms) and entered by the staff member (re staff forms) so this type of scenario is unlikely.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): 

• CareMonkey’s physical infrastructure is hosted and managed within Amazon’s secure data centers, utilising Amazon Web Services (AWS) technology.

• AWS data centers are state of the art, utilising innovative architecture and engineering approaches. AWS provides a highly reliable, scalable and secure infrastructure platform that powers hundreds of thousands of businesses in 190 countries across the world.
• Your data is stored on servers in your region and will never be stored outside of that region. Hence, United States User data is stored in the United States.
6. How the data will be encrypted (described in such a manner as to protect data security):
• CareMonkey uses the highest standards in Internet and data security. 
• Data is always encrypted at rest and in transit. 
• Our security layers include strong cryptographic implementations (such as 256 bit encryption, 128 bit data encrypted SSL systems using Advanced Encryption Standards) and defensive-in-depth network protection (with multiple firewalls, intrusion prevention appliances, and active monitoring systems).

CCI Learning Solutions Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract Start Date: March 2022

    Contract End Date: March 26, 2026

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jasperactive is a web-based learning product designed for Microsoft Office with tailored exercises for Word, Excel, and PowerPoint, Outlook and Access. Students are delivered a Benchmark, Lessons and Create Exercises. The primary purpose of Jasperactive is to teach the students the required fundamentals to pass the Microsoft Office Certification exams.
  4. Type of PII that the Entity will receive/access: Student PII
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCI Learning Solutions Inc. is committed to protecting users’ privacy and PII and developing technology that gives users’ the most powerful and safe online experience. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council, Inc

  1. Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: The Chinese-American Planning Council, Inc. (CPC) Project Reach program will provide Department of Education (DOE) funded MTAC R1155 for Components of 1) Social Emotional Learning, 2) Respect for Diversity and 3) School Culture and Climate/Approach to Establishing and Sustaining a Positive School Culture as part of the services to promote safe and supportive school communities. DOE Principals, through this contract, request CPC Project Reach staff to provide workshops and trainings to support and enhance safe school cultures for youth, families and staff of DOE schools.

    While it is not the policy of CPC to retain protected information, identifiable information may be kept in certain records required to work with the DOE, such as sign-in sheets showing attending students' names which are generally collected to verify that workshops were provided.

    CPC Project Reach, to evaluate its own services, shares an anonymous survey at the end of a workshop for students, family members and/or school staff. No identifiable protected information will be requested and any results reported in the aggregate.

    Occasionally, CPC staff, usually by request of city or state agencies, may ask for student or staff home zip codes to better understand where in NYC Project Reach has had a possible impact. This information is collected but only shared in the aggregate.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Any CPC subcontractors, authorized persons or entities will adhere to the protocols and protections set forth in Education Law § 2-d.

    CPC uses several services such as internet providers like online Microsoft 365 Enterprise services and some technical vendors who support our program administrations/operations. Any technical vendors CPC retains will honor those protections for students and participant information to meet the standards of the Education Law § 2-d.

    CPC has insurance in place and follows a yearly review of IT and technical processes agency wide to ensure best practices are continuously reviewed, monitored, and improved annually.
  3. When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE-funded MTAC Rl 155 program, or upon request by the DOE, CPC can provide the appropriate certification that destruction of data related to any protected information is completed. In general, CPC's current practices involve maintaining data for the prescribed period of time per the requirements of the funder, City, New York State or federal guidelines. After this, CPC destroys all paper documents on-site or through a third-party vendor specializing in this process/activity. Digital records are deleted and servers scrubbed.
  4. If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise's data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.
  6. How the data will be encrypted (described in such a manner as to protect data security): CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and a SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols.

Circles Learning Labs, Inc

1. The exclusive purposes for which Protected Information will be used: Our goal is to provide an easy, fast and reliable meeting platform. For this reason, we ask for and store minimal information; first name, last name and email. Your information is stored in a safe and protected environment (encrypted at rest and in motion). 

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share data with external parties. Employees of Circles are required to sign a non-disclosure agreement when starting their work agreement with Circles. 

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Start: 7/31/2020, End: unknown

All meeting data is stored for 2 hours after the end of the conference, after which it is deleted. During this time, any user can choose to download the chat from the meeting room should they wish to save the data. Additionally, a user can make notes during a meeting and share these with others later. 
 
Participant attendance to a meeting is recorded, as is the duration (much like you’d expect from a phone call record.)
 
Action items are stored on the local server so they can be used in the next meeting. This data is private between you and circles only. It is never given or sold to a third party.
 
Troubleshooting data to help detect and resolve technology problems is stored for 30 days, and automatically deleted after. This may contain user identifies such as names/system ID’s to help the support and operation teams, but no other personal information. 
 
Upon termination of the contract all data is automatically deleted from our database. Anonymized feature data is retained to enable us to improve services by helping us understand which features of the system are most used, and which are not. 
 
[NYC DOE comment: The current agreement became effective starting on July 31, 2020 and terminates when all NYC DOE schools and/or offices cease using Circles Learning Labs, Inc’s products/services. The terms of the agreement remain effective through the period during which Circles Learning Labs, Inc possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All our data centers are based in the US in the amazon cloud; and as such benefit from all the encryption and security measures that AWS provides.  
 
6. How the data will be encrypted (described in such a manner as to protect data security): All information and data is stored in a safe and protected environment (encrypted at rest and in motion).
 

Claire Weisz Architects LLP (dba WXY)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: 9/1/2021

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    WXY will lead in development of a comprehensive review of the status of each recommendations presented in the D15 Diversity Plan. WXY will primarily use interviews and stakeholder meetings, combined with data analysis to report on how relevant stakeholders in the D15 community have approached implementation in the three years since the plan’s release.

    In the Spring of, 2021, WXY conducted an initial review of the status of the Plan’s implementation and synthesized the findings into a presentation Superintendent Anita Skop delivered to the CEC on April 29, 2021. WXY will expand on that initial presentation and will conduct interviews and analysis with the D15 leadership, the DOE offices responsible for implementing recommendations, and with the wider D15 community to compile a more thorough progress update. Additionally, WXY will conduct a wide range of data analysis in support of District 3 and District 13’s New York State Integration Project grants including the analysis of student level data.

    WXY will support D14’s District Equity Initiative. WXY will take responsibility for organizing and performing all work in a timely manner and ensure the various elements effectively build on one another. WXY will introduce the process to up to six identified stakeholders, collect reflections and input, and share out with D14 leadership. WXY will work closely with D14 leadership to establish a D14 Equity Working Group, comprised of stakeholders from across District 14, as deemed appropriate by the DOE. WXY will conduct data research on Equity Audit best practices and precedents. WXY will conduct data analysis in support of a district wide equity audit.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Established data management workflows will be employed when transferring, storing, and using the data. Clear roles within the Processor organization will be established at the outset of the project, distinguishing responsibilities for obtaining, analyzing, and deriving insights from the datasets. Furthermore, raw data will be formatted, analyzed, and presented using industry-standard conventions and best practices. Each of these responsibilities will be allocated based on the Processor’s policies governing confidentiality and prior experience interacting with sensitive information. Any identifiable information linked to the datasets that is unnecessary to perform the stated scope of work will be erased. Any derived products will be de-identified and presented at a resolution that is consistent with the Processor’s standards as well as the BOE’s requirements for internal use and for external publication. Clear communication channels between analysts, communications managers, project managers, and the public will be clearly identified to interface between the Processor and BOE. These functions address the Control-P and Communicate-P functions of the NSIST Privacy Framework.

    Access to the raw data will be limited to personnel identified to the BOE. Each personnel will receive an overview of this document, the sensitivity of the Protected Information, and the repercussions of violating local, state, and federal privacy laws before finally being introduced to the dataset. The Processor intends to limit the number of personnel interacting directly with the data to the bare minimum.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

College Board 

1. The exclusive purposes for which Protected Information will be used: Students who choose to take College Board’s standardized national AP exam provide PISI to College Board for the AP exam. College Board uses the PISI in connection with the provision of the AP exam to NYC students. Data is used exclusively in the registration, delivery of score reports to students and schools, and test security processes associated with each of the assessments. 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All College Board vendors are required to complete our Data Security questionnaire to identify the security controls that they have in place. After a risk assessment of each vendor is completed, any remediations are provided to the organizations. Furthermore, each vendor that stores PISI on behalf of College Board is required to agree to College Board Data Security Requirements and, in most cases as applicable, provide evidence of their compliance via a SOC 2 report.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of the agreement, PISI collected from the students, or data that is connected to the student accounts, is retained by College Board on behalf of the students, for legitimate educational purposes including but not limited in order for students to continue to access their assessment scores and related data from assessments. This allows students to send scores to colleges and other programs, as well as use the information to support students direct contact with College Board. The data continues to be protected via College Board information security management system
[NYC DOE comment: The current agreement became effective starting on July 1, 2018 and terminates when all NYC DOE schools and/or offices cease using College Board’s products/services. The terms of the agreement remain effective through the period during which College Board possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI collected through this agreement is stored within the United States. College Board does make use of cloud service providers but restricts this data to US-based regions.
College Board maintains a comprehensive, layered security program that is based upon the ISO 27001 framework. Wherever possible, it also uses the NIST Cyber Security Framework and the CIS benchmarks as guideposts for standards. The security program, which is evaluated annually by third party audits, consists of physical, network, system, data, and application security-related components. College Board maintains ISO 27001 and SOC 2 certifications, as well as PCI DSS compliance. It has a comprehensive set of policy controls, awareness training for all users who interact with PISI, and third-party risk management programs. In addition to its annual compliance audits, it engages multiple third parties to conduct assessments and penetration tests to continually evolve.
6. How the data will be encrypted (described in such a manner as to protect data security): All PISI data is encrypted at rest and in transit using industry standard or better practices. In transit, the College Board uses TLS 1.2 as its standard, and at rest data, it uses multiple industry standard formats such as AES-256 or better. In cases where data cannot reasonably be encrypted, a wavier and evaluation process exists, and additional mitigating controls are put in place to ensure the security of the data.

Community Software Solutions, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:
    Contract Start Date: 7/1/2022
    Contract End Date: 6/30/2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
    CSS provides software to NYC DOE internship program. NYC DOE utilizes the software to manage the internship program. The PII that is processed by CSS and the DOE internship application is necessary for hours entry, payment processing, distribution, tax payments and reporting.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations.
    Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure Cloud.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our management team works with out information technology and risk compliance team to implement administrative, technical and/or physical safeguards to ensure PII will be protected. These administrative, technical and/or physical safeguards include:
    • Implementation of policies and procedures that govern human resources, information technology, information security, incident management, and data management practices performed within the company.
    • Implementation of people, processes, and technology that support the implementation and operation of established policies, procedures, and practices established by management to protect customer data and PII.
    • Execution of contractual obligations with third-party vendors and sub-contractors to communicate their commitments for security, confidentiality, and privacy and bind them to these commitments.
    • Performance of periodic risk assessment and internal audit activities to evaluate the state of business operations and their alignment with the policies, procedures, and the protection of customer data and PII.
    • Performance of period risk assessment and internal audit activities to evaluate third-party contractor services and practices for security, confidentiality, and privacy.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Community Studies, Inc.

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: July 1, 2021
    Contract End Date: June 30, 2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSI provides school support to 34 DOE schools, including curriculum and resource creation, professional development, and classroom coaching for school staff. PII of individual students is received in the course of communication and discussion with teachers and school leaders about school and instructional improvement efforts.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All CSI employees and contractors receive training on ensuring the confidentiality of student PII that they may receive during their work. All email communication and documents shared between employees and DOE staff are managed via cloud services platforms, which use TLS encryption. Files uploaded or created in Google Docs are encrypted in transit and at rest with AES256 bit encryption
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Creative Connections, LLC

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: July 1, 2022
    Contract End Date: June 30, 2024
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Connections provides critical wrap around Community School services and student supports intended to serve the whole child. Services focus on the four pillars: Collaborative Leadership & Practice, Family & Community Engagement, Expanded Learning Time, and Wellness & Integrated Support. It is necessary for the Entity to receive or access PII to conduct the services in order to effectively communicate with all relevant stakeholders (in the mode most conducive to them), track/ document/ update improvement metrics, and drive tangible outcomes.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google and/or Microsoft cloud.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
    • Creative Connections and any subcontractors and/ or affiliates will (at all times during the Term) use encryption to protect personally identifiable information in its custody while at motion or at rest and implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is processed, comply with applicable data protection and privacy law and comply with the terms of the contract.
    • Creative Connections shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the contract term.
    • At a minimum, Creative Connections’ information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (h) conducting external and internal penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct the issues that are reported as a result of the testing; and (i) limiting access of Personal Information, and providing privacy and information security training to staff.
    • Creative Connections and its employees will adopt the following measures:
    • Employees will not at any time during or after affiliation Creative Connections (CC) disclose CC Confidential Information to which they have or had access in any form (i.e., electronic media, paper, verbal etc.) to any unauthorized individuals.
    • Employees will not access any record(s) they are not authorized to, including but not limited to the student or family records of any program member or co-worker.
    • Employees will utilize and access only the minimum amount of information necessary for performance of their duties.
    • Employees will not access or request data on students for whom they have no professional relationship and/or legitimate CC related purpose. If a given employee has reason to believe that the confidentiality of his/ her user log-in has been compromised, he/ she will immediately ensure that the password is changed.
    • Employees will respect the confidentiality of any reports and handle, store and dispose of these reports when necessary.
    • Employees will not install or operate any non-licensed software on any CC computer.
    • Employees understand it is against CC policy to electronically communicate student information to others outside of the CC/ school network.
    • Employees are responsible for all e-mail messages generated from their e-mail accounts.
    • Employees understand that the use of e-mail is for business purposes, however limited personal use is acceptable.
    • Employees understand that the e-mail administrator may monitor CC e-mail if non-compliance with the electronic messaging policies is suspected.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Curriculum Associates, LLC (i-Ready)

  1. The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to make online i-Ready product available to the NYC DOE.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Curriculum Associates does not use subcontractors. Individual contractors sign NDAs and/or Student Data Privacy Acknowledgments. 
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is deleted upon written request. [NYC DOE comment: The current agreement became effective starting on January 23, 2020 and terminates when all NYC DOE schools and/or offices cease using Curriculum Associates, LLC’s products/services. The terms of the agreement remain effective through the period during which Curriculum Associates, LLC possesses or otherwise is in control of covered protected information.]  
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States.
  6. How the data will be encrypted (described in such a manner as to protect data security): Application data is encrypted at rest with AES-256 algorithm and in transit is encrypted with TLS 1.2 algorithm.

D2L Ltd. 

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: 7/1/2021

    Contract End Date: 6/30/2024

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    Provision of a Learning Management System and related services to NYC DOE.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Make all PII available for retrieval by NYC DOE.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Data is hosted in secure facilities operated by Amazon Web Services. All data in transit is protected using TLS 1.2 protection. All data at rest is encrypted with AES256 at file object level.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

David Kestenbaum (dba Color Keys)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
    Software Education Learning Management System. Our LMS software enables teachers to manage the assignment of educational content to students. Students get instant feedback, leading to formative assessment and providing the ability to correct their mistakes. Teachers are able to view rich analytical data to drive instruction and provide personalized support. Teachers are provided tools in the platform that enable them to individualize the students’ classroom experience and work at their own guided pace. The LMS application is used to manage 2 student-facing products:
    • Thumbprint: The Thumbprint product provides modules for language learning, multiple choice, and other task types organized into assignments that are sent to students. Included in the product are thousands of premade tasks and assignments that teachers can leverage. Regarding PII –
      • Name: allows the teacher to know which student they are interacting with.
      • Email: used for password reset, account recovery, and other access related communications
      • Student ID: System ID used for integration between data and our application and school systems
    • ColorKeys: Our music software enables students to learn the pedagogy of music playing while having an interactive and personalized experience along the way. Students have their own accounts, saving their materials from week to week. Students watch animated videos, play interactive games, engage in multiple choice quizzes, and practice and play songs. The program allows each student to move along at their own pace. Students come out learning how to play and understanding the fundamentals of music theory. Regarding PII –
      • Name: allows the teacher to know which student they are interacting with.
      • Email: used for password reset, account recovery, and other access related communications
      • Student ID: System ID used for integration between data and our application and school systems
    Professional Development. Our Professional Development division provides general PD to teachers in an array of areas. We provide PD to teachers using our proprietary software (thumbprint) and train them as more updates are created. We also provide PD in teaching methodologies and strategies, including but not limited to Blended and Personalized Learning, stressing diversity, equity, and inclusion in all our offerings.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS RDS.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The product features an authorization and role-based permissioning system that carefully limits a user’s access to PII. For example, a teacher may see PII for their students, but not students in the same school that they do not have a teaching relationship with. Within our working environment; All PII data is encrypted in motion and at rest, all credentials are encrypted and protected with 2FA where available, antivirus and logging are used to prevent and detect malicious activity and the network is secured by numerous policies and procedures to contain PII to the smallest portion of the network possible. All staff are vetted and trained to avoid accidental or malicious disclosure of PII and company policies and software are designed to prevent such disclosures as well.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DeltaMath Solutions Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: 1/26/2022

    Contract End Date: 6/30/2025

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Access to and use of deltamath.com, an online platform for the teaching and learning of mathematics.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Data is housed on AWS servers in Ohio, USA and is protected both physically and via data encryption. Data is encrypted both in transit and at rest. Data is only accessed in the case of a legitimate educational purpose and, if so, from registered IP addresses. All employees with access to data undergo criminal background checks and are trained, both on hire and annually thereafter, in the requirements of federal, state, and local privacy laws.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Discovery Education, Inc. 

1. The exclusive purposes for which Protected Information will be used: To provide digital education services.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Pursuant to Recipient’s DPA, attached hereto as Attachment B.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination or expiration of the agreement, Recipient will promptly, but without undue delay, destroy student data upon BOE’s written request. Recipient may retain student data to the extent required by the laws, rules, and regulations to which Recipient is subject, or if student data resides in Recipient’s backup archives, Recipient will continue to protect the security and confidentiality of such retained student data in accordance with the agreement and the DPA. Recipient has implemented retention rules so that student data in backup archives is retained for as short a time as necessary.
 
[NYC DOE comment: The current agreement became effective starting on January 23, 2020 and terminates when all NYC DOE schools and/or offices cease using Discovery Education, Inc.’s products/services. The terms of the agreement remain effective through the period during which Discovery Education, Inc.  possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will not be stored outside of the US. 
 
6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest in the database.  We perform daily lookup as well as backups.  For data in transit, our subscription site is SSL embedded with AES-290

Don Johnston Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: TBD
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    Snap & Read Universal is a Text Reader to read aloud materials as well as support students in comprehending materials. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.

    Co:Writer Universal is a Word Prediction, Speech to Text and Translation tool to support struggling writers. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.

    uPAR (Universal Protocol for Accommodations in Reading) is a data tool to help educators match students to reading accommodations. uPar does not require use of personally identifiable student information. Personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution. The only data collected is that which is valuable for educational purposes.

    Word Bank Universal extracts words, places, people, facts and dates into a meaningful format. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.

    Quizbot is a teacher-only tool. Build quizzes automatically from any text with one click. Automatic scoring through Google Forms shows instantly what is being comprehended. No Student Accounts exist (and no data is collected).

    Readtopia is a special education curriculum designed for teachers who work with late elementary, middle, and high school students with autism and other complex needs. It serves as an integrated comprehensive reading curriculum across several domains of study including ELA, Math, Social Studies, Life Skills, and Science. Students do not login and no student data is collected.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Other. Vendor stated “The district has access to student data at all times and is responsible to download data prior to expiration of the Agreement. After that, we will automatically destroy all data in 30 days and 65 days from all backups.”
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Administrative Safeguards: We do annual training for all staff and assign access based on roles, limiting the number of people who have access to the data.

    Physical and Technological Safeguards: All data is kept on AWS (Amazon Web Services) servers.

    AWS has the most stringent physical safeguards that has earned it ISO 27001 compliance, a Department of Defense Impact Level 4 Provisional Authorization, over 400 National Institute of Standards and Technology security controls, and a PCI DSS Level 1 certification among other security standards. All data is located in geographically discrete locations within the United States. Data at Rest - All data at rest is encrypted with AES-256 encryption algorithm. Data in Transit - All data being transmitted is protected with Secure Socket Layer and password hashing.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DreamBox Learning, Inc.

  1. The exclusive purposes for which Protected Information will be used:
    To provide hosted services and adaptive math software to the district.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: DreamBox does not utilize subcontracts in its delivery of software or services; however, DreamBox will ensure that all authorized persons are aware of the confidential nature of the information being share and have been trained on data protect and security best practices.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Personally Identifiable Student Information (PISI) will be removed from the DreamBox system and returned to the district at the district’s request. [NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be store in the US. DreamBox is ISO27001 certified and meets industry best practices for data security including encrypted at rest and in transit.
  6. How the data will be encrypted (described in such a manner as to protect data security): At rest and in transit.

EBSCO Industries, Inc. DBA EBSCO Information Services

1. The exclusive purposes for which Protected Information will be used: EBSCO uses the Personal Information we collect for the limited purposes of processing your transactions, establishing and/or verifying a person’s or account holder’s identity, customer service, improving and customizing our Services and their content, authorization, content processing, content classification, and providing you with information concerning our Services.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In situations where we share Personal Information with Service Providers, we ensure access is granted to the Service Providers only upon the condition that the Personal Information is kept confidential and is used only for carrying out the services these Service Providers are performing for EBSCO Information Services. As part of making that determination whether we will share Personal Information with Service Providers, we will obtain assurances that they will appropriately protect and maintain the confidentiality of Personal Information consistent with our Privacy Policy and as required by applicable law.

For additional information, please see EBSCO's Privacy Policy: https://www.ebsco.com/company/privacy-policy#prod_how-do-we-secure-info  

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Contract duration - 4/1/2021 to 3/31/28

EBSCO will only retain information for as long as the account is active, or as needed to provide you Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Upon contract termination, data will be deleted or pseudonymized. If this is not possible (e.g., because the information has been stored in backup archives), then EBSCO will securely store the information and isolate it from any further processing until deletion is possible).

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor.

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov] 

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within EBSCO's data centers located in the greater Boston, MA area. EBSCO maintains an extensive information security policy to protect data which focuses on web application security and includes firewall and router security, data classification and control, vulnerability identification, authentication, etc.  

EBSCO also keeps audit trails to maintain records of system activity both by system and application processes and by user activity, which, in conjunction with appropriate tools and procedures, acts as a technical control facilitating the detection of security violations, performance issues, etc.

6. How the data will be encrypted (described in such a manner as to protect data security): All sensitive data is securely encrypted in the database with restricted access. Data is also encrypted in transit with SS/TLS1.2 2048-bit encryption.

Edmentum, Inc.

1. The exclusive purposes for which Protected Information will be used: The protected information will be used in order to provision and provide access to students to Edmentum’s curriculum resources.  Additionally, the data will be used to automatically generate learning paths and assignments for students utilizing the assessment data from other third party systems. Finally, the data will be used to perform research studies to improve the levels of instruction and administer predictive tests.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Edmentum takes the following precautions:
• Background checks are always completed 
• A form is signed to ensure understanding and compliance of the adherence to federal and state laws governing confidentiality and privacy policies 
• Security training is required and taken annually
• Edmentum also ensures that sub-contractors have background checks. Additionally, all sub-contractors and their contracting firms are required to adhere to all Edmentum policies and procedures.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: This agreement starts on the date signified within this document for execution and ends when all agreements and products cease use in the NYC DOE. As requested, or directed by NYC’s DOE, Edmentum will return or destroy all data in a timely manner.
 
 [NYC DOE comment: The current agreement became effective starting on April 19, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which Edmentum possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
 [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data  should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Edmentum only authorizes the use and access to the data on a need to know basis, ensuring that only the personnel needed to serve the DOE students have access to the data. Edmentum utilizes Tier 3 data centers with the highest levels of security, policy and controls to protect the data.  All customer data is always encrypted in transit and rest through industry accepted encryption methods.
 
6. How the data will be encrypted (described in such a manner as to protect data security): All customer data is always encrypted in transit and rest through industry accepted encryption methods include SSL, TLS and transparent data encryption

Educa

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educa is a private online sharing platform where teachers document and share children’s learning. It supports heart-led documentation, via Learning Stories, that in one motion meets reporting requirements and provides learning visibility – in other words, images and videos – helping families and teachers work together. In order for Educa to carry out these communication-oriented goals, it is absolutely essential that PII be readily accessible for all teachers, students, and parents that exist in the platform.
  4. Type of PII that the Entity will receive/access: Student PII; APRP PII (Identifiable Teacher or Principal Annual Professional Performance Review Data); Other. The vendor specifies that “Ideally Educa would have access to PII for teachers, students, and their parents. For example, all users in Educa must have a unique email address, which they use to sign into the platform.”
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “inside an MS SQL RDS database, hosted on Amazon Web Services in US East.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will reside inside an MS SQL RDS database, hosted on AWS in US East. All data to and from the database is encrypted in transit and at rest. Backups are also encrypted and hosted in AWS.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Education Analytics

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: July 1, 2022
    Contract End Date: June 30, 2024
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide technical assistance and perform data analysis to measure student learning for Annual Professional Performance Reviews (“APPR”) as approved by New York Education Law §3012-d.
  4. Type of PII that the Entity will receive/access: Student PII and student-teacher linkage data.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Secure Data Transfer and Data Storage Protocols: All confidential data are transferred using EA’s secure file transfer solution. All client data in house is stored on EA’s file and backup servers, with access controlled via Active Directory. Our facility is locked 24 hours a day, 7 days a week, and entry requires authentication using a key fob with unique codes for each user. Within the secured office suite, the server room storing network devices and secure servers is locked 24 hours a day, 7 days a week, and entry requires authorization using a key fob with unique codes for each user.

    Authorized Data Access and Data Destruction Policy: EA ensures that access to the data is restricted solely to staff who need such access to carry out the responsibilities of the project based on their role, and that such staff will not release such data to any unauthorized party as agreed by signing of EA’s non-disclosure agreement. Access to all computer applications and data at EA are managed and authorized at every step using the Windows Active Directory user ID and high security password procedures. Key personnel working on client data have federal security clearance and have undergone human subjects training on handling data. EA requires all staff to sign confidentiality agreements prior to providing data access. Also, EA prioritizes the ongoing training of employees and authorized users about laws governing the usage of sensitive data including FERPA and other appropriate state laws. More details on this topic can be found below. EA agrees that data will remain the property of the client. To this effect, EA has a data destruction policy which ensures that the electronic data stored on the EA file and backup servers are destroyed within the contracted time frames.

    IT System Security: All internal servers deployed at Education Analytics shall be managed by an operational group that is responsible for system administration. Approved server configuration guides shall be established and maintained by this operational group, based on business needs.

    IT Network Security: EA’s computer network storing the data ensures appropriate and secure data access by utilizing firewalls, an intrusion detection and prevention system and up to date anti-virus solutions. EA allows remote access only to authorized users using a remote gateway secured using SSL.

    IT Risk Management and Contingency Planning: EA has a disaster recovery plan and a process for handling outages which will be utilized in cases a need arises. EA has redundant and uninterruptible power and internet infrastructure provisions in place. In case of data breaches, EA will notify its cyber security insurance provider about the breach and work with the provider to investigate the breach and inform the related parties.

    Compliance with FERPA and Data Security Laws: EA is in strict compliance with data security and privacy laws including but not limited to FERPA, and ensures that its staff are trained on the required laws and kept up to date to gain knowledge about how to store, access and treat data records with a high level of security.

    Security Audit process and Data breach policy: EA’s IT systems maintain incident, change management logs and allows for audits of the IT data security compliance. The security audit process will cover the following steps to identify, evaluate and analyze potential threats and fixes for evaluating the security requirements of EA’s IT system. In case of breaches to the student data or teacher or principal data, EA will activate its Incident Response Team. This team will investigate the breach and notify the educational agency owning the data as necessary in accordance with regulations. EA will promptly comply with any inquiries from the client based upon the client’s receipt of a complaint or other information indicating that improper or unauthorized disclosure of personally identifiable information may have occurred.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Eduware, Inc.

1. The exclusive purposes for which Protected Information will be used: To provide the requested services and to ensure proper functioning of sites. To provide requested customer support and communicate with user.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Eduware, Inc. does not use subcontractors, however in the event that Eduware, Inc. engages subcontractors, assignees, or other authorized agents to perform one or more of its obligations under the AGREEMENT (including any hosting service provider) it will require those to whom it discloses Protected Data to execute legally binding agreements acknowledging the obligation under Section   2-d of the New York State Education Law to comply with the same data security and privacy standards required of Eduware, Inc. under the AGREEMENT and applicable state and federal law.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of that agreement without a successor agreement in place, Contractor shall assist NYC DOE and any educational agencies that contracts with NYC DOE for the provisions of Contractor’s products or services in exporting any and all student data and/or teacher or principal data previously received by Contractor back to NYC DOE or the educational agency that generated the student data and/or principal data. Contractor shall thereafter securely delete or otherwise destroy any and all student data and/or teacher or principal data remaining in the possession of Contractor or its assignees or subcontractors (including all hard copies, archivist copies, electronic versions or electronic imaging of hard copies of such data) as well as any and all student data and/or teacher or principal data maintained on behalf of Contractor in secure data center facilities. Contractor shall ensure that no copy, summary, or extract of the student data and/or teacher or principal data or any related work papers are retained on any storage medium whatsoever by Contractor, its subcontractors or assignees or the aforementioned secure data center facilities. To the extent that Contractor and/or its subcontractors or assignees may continue to be in possession of any de-identified data (i.e., data that has had all direct and indirect identifiers removed) they agree not to attempt to re-identify de-identified data and not to transfer de-identified data to any party.

[NYC DOE additional information: The current agreement became effective starting on December 1, 2020 and remains effective until November 30, 2027.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor.

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Student data and/or teacher or principal data transferred to Contractor by NYC DOE or NYC DOE officers, employees, agents, or students will be stored in electronic format on systems maintained by Contractor in a secure data center facility, or a data facility maintained by a board of cooperative educational services, in the United States. In order to protect the privacy and security of student data and/or teacher or principal data stored in that manner, Contractor will take measures aligned with industry best practices and the NIST Cybersecurity Framework Version 1.1. Such measures include, but are not necessarily limited to disk encryption, file encryption, firewalls, and password protection.

More specifically, data is stored in Amazon Web Services (AWS) which are served from data center in Oregon, United States. Servers are secured physically by Amazon, and virtually by installed firewalls and a strict authorization system. Additional security information about AWS system is available online at: https://amazon.com/security/. All data storages are only available through password/key protected instances. User passwords are encrypted in the database, so even Contractor’s high level system administrators can’t view sensitive password information. All of Contractor’s network communication is now encrypted under HTTPS.

6. How the data will be encrypted (described in such a manner as to protect data security): Eduware, Inc. (or, if applicable, its subcontractors) will protect Protected Data in its custody from unauthorized disclosure while in motion or at rest, using a technology or methodology specified by the secretary of the U.S. Department of HHS in guidance issued under Section 13402(H)(2) of P.L. 111-5. 

Everbridge, Inc.

  1. The exclusive purposes for which Protected Information will be used: Data/assets the client provides to the Everbridge platform are utilized solely by the client for their critical event management and communication purposes. Everbridge does not leverage/utilize client data beyond what is outlined in the Everbridge MSA
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everbridge providers must align to Everbridge’s security requirements as otherwise, Everbridge is unable to obtain and maintain our security and compliance attestations. At no time is any third party granted access to the Everbridge platform or the client data therein. Everbridge is a SOC2, SOC3, FISMA, Safety Act, ISO 27001, EU-US Privacy Shield, G-Cloud 9, UK ICO, and BSI C5 certified organization and we have achieved FedRAMP “Authorized” status. Our security policies are governed by NIST 800-53 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Controls for Moderate Impact systems, and an overview of our security policies and attestations can be found here: https://www.everbridge.com/company/legal/. All policies and attestations are reviewed and updated annually.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Regarding records management and data retention, Everbridge’s controls align to our security framework (which is governed by NIST 800-53 controls, FedRAMP, and ISO 27001 compliance) and there are several facets to this:
    • Product system reporting data, available for all client campaigns, is available in the web based console and product suite for 18 months. At any time, clients may download and archive reports available in Everbridge in various formats (HTML, CSV, PDF) and store these internally within their organization;
    • Security Event Report data is available to authorized client administrators in the web based console and is accessible for up to the prior 6 months from when the report is generated by the administrator;
    • Data that clients store as contacts or assets within the Everbridge platform is not purged or managed by Everbridge, in any way, throughout the life of an active services agreement. However, when an organization’s contract expires, the organization’s account will be deactivated and listed for deletion. Thirty-days from the contract expiration date, the organization’s data will be flagged for purging and all of the organization’s data will be removed from the active system. Everbridge retains the organization’s data for one month in the event the organization wishes to extend its subscription;
    • For clients using our Safety Connection functionality, travel itineraries are stored for 12 months in the past and for 12 months into the future; Last Know Location is kept from the last report from the source and until it is overwritten by the source
    • Business records are kept by Everbridge for 7 years and/or as required by law

      [NYC DOE comment: The current agreement became effective starting on March 19, 2020 and terminates when all NYC DOE schools and/or offices cease using Everbridge, Inc.’s products/services. The terms of the agreement remain effective through the period during which Everbridge, Inc. possesses or otherwise is in control of covered protected information.]

  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Clients are wholly responsible for managing their data set in the Everbridge platform. Thus, any such rights to access, review, update, and correct their personal information will be handled by authorized client administrators. Should Everbridge receive such requests directly from client users, those requests will be re-directed to client administrators to fulfill [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Everbridge maintains four implementation regions around the world for our services: United States, United Kingdom, Germany, and Canada. Clients will choose their implementation region from those listed above and client data will then be stored and processed within the selected implementation region only. Typically, US based clients will be implemented in our US-based implementation of Everbridge (which consists of secure cloud hosting facilities in Northern CA and Northern VA. Regardless of data store chosen, Everbridge is a SOC2, SOC3, FISMA, Safety Act, ISO 27001, EUUS Privacy Shield, G-Cloud 9, UK ICO, and BSI C5 certified organization and we have achieved FedRAMP “Authorized” status. Our security policies are governed by NIST 800-53 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Controls for Moderate Impact systems, and an overview of our security policies and attestations can be found here: https://www.everbridge.com/company/legal/. All policies and attestations are reviewed and updated annually
  6. How the data will be encrypted (described in such a manner as to protect data security): Everbridge’s implemented encryption technologies align to FIPS 140-2, NIST 800-53 controls, FedRAMP, and ISO 27001 compliance. HTTPS TLS 1.2 and SFTP using SSH are used for secure communication with the platform. Client data is encrypted at rest using AES 256-Bit encryption (database is encrypted at the file level). Platform backups are secured using AES 256-Bit encryption. All encryption keys are managed internally by Everbridge using a digital key management solution.

EverFi, Inc.

  1. The exclusive purposes for which Protected Information will be used:  Personally Identifiable Student Information (PISI) will be used for registration and use of EverFi courses.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everfi requires employees, subcontractors and authorized persons or entities that receive student data or teacher or principal data to sign agreements that include appropriate confidentiality obligations that covers such data.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: EverFi will return or destroy such data in accordance with the terms of this agreement. [NYC DOE comment: The current agreement became effective starting on March 5, 2020 and terminates when all NYC DOE schools and/or offices cease using EverFi, Inc.’s products/services. The terms of the agreement remain effective through the period during which EverFi, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients.[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be sorted in the U.S. (within contiguous 48 states) in accordance with EverFi’s Data Security Policy. Please see EverFi’s “Data Security Policy” for more details.
  6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest and in transit (AES-256 encryption algorithm). Database connections are vial SSL protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384.

Evolution Labs (EL) (Suite 360)

  1. The exclusive purposes for which Protected Information will be used: For the purposes of administering and assessing learning related to the subject material of the program.  
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data is only shared with Evolution Labs employees with a demonstrated need for that information (i.e. developers, DBAs, Client Services etc).  Each EL employee receives annual training on protecting user data. Data is never shared outside of EL.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: NDA begins on August 27, 2020 and is sustained indefinitely until/unless either party terminates the agreement. Upon expiration of the agreement, archived data is kept for 12 calendar months upon which time it is destroyed. Accelerated deletion of data can occur upon request.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US and all databases are encrypted and protected with industry standard security.
  6. How the data will be encrypted (described in such a manner as to protect data security): Databases are encrypted at rest. All programs utilize industry standard encryption.

ExpandED Schools

  1. Type of Entity: Research Institution or Evaluator; Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: August 31, 2022
    Contract End Date: August 30, 2027
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement covers multiple projects, and thus the type of PII collected and for which purposes will vary. PII may include, but is not limited to:
    • names of students participating in relevant DOE initiatives, their parents and guardians;
    • student OSIS number;
    • student’s date of birth;
    • school affiliation, district, and grade;
    • school-day and afterschool attendance;
    • state test scores or other academic achievement information (e.g., report card grades)
    • Race, ethnicity, special education status, language spoken at home and English Language Learner status.
    If collected, all information will remain confidential solely between relevant parties (DOE, ExpandED Schools, and any subcontractors where applicable, who are subject to the same rules and regulations governing ExpandED Schools’ access to these data). If collected, processing PII will allow ExpandED to identify youth who would benefit most from the supports we are offering, as well as to track whether students improve outcomes as a result of participation in our supports.
  4. Type of PII that the Entity will receive/access: We are not aware of which types of data will be required at this time, but it is likely that we will be collecting student and/or educator PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; (i.e. if data are transferred via a cloud-based tool, ExpandED Schools will use a secure Sharepoint link to transfer and store data, ensuring that only those who require access are granted access); and using an entity-owned and/or internally-hosted solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.

    ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:

    Administratively:
    • ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
    • ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.

    Operationally and technically:
    • ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
    • If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
    • ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
    • If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.
    All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.

    Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.

    Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.

    All confidential information will be returned or destroyed upon termination of services.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Family Life Time Solutions, Inc.

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term

    Contract Start Date: 11/1/2021

    Contract End Date: 9/1/2022

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The #SameHere Teacher and Student Apps allow teachers and students to share their feelings in a secure app setting. The app acts as an emotional thermometer. It is not diagnostic, and it does not make recommendations. It strictly allows student to tell teachers how they are feeling, and to track those feeling trends over time.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Log systems are in place so as to identify unauthorized access of the databases. Vulnerability assessments are done periodically to identify any threats or risks. OWASP Top 10 is being followed as much as possible. Also WAF are implemented to avoid DDOS attacks.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FOCALPOINTK12, INC.

1. The exclusive purposes for which Protected Information will be used: The software provides online learning for middle and high school students in a classroom setting. The student names and their grades will be available to teachers and advisors.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The company have strict data protection and privacy policies in place and adheres to it. The company has built stricter security policies as part of the contracts working with several State DOE agencies.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All the data will be removed and purged from the system.
 
[NYC DOE comment: The current agreement became effective starting on June 6, 2020 and terminates when all NYC DOE schools and/or offices cease using FOCALPOINTK12, INC.’s products/services. The terms of the agreement remain effective through the period during which FOCALPOINTK12, INC. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All the data is securely stored in the US East region in a Microsoft Azure Elastic Cloud Environment. The data is encrypted both in transit and at rest. Azure Cloud provides multi-layered, built-in security controls and unique threat intelligence to identify and protect against rapidly evolving threats.
 
6. How the data will be encrypted (described in such a manner as to protect data security): All the communication between the users and web applications are secured with SSL layer. All communications between the web application and the database happen on a encrypted channel. The data storage inside the database is encrypted

Gradecam, LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Summative and formative student assessment. We require the following data elements for our product: Student first name, Student last name, Student ID, Class name, Class ID – OPTIONAL, Class period – OPTIONAL, Grade level – OPTIONAL, Term, Student grade, Teacher/Administrator first name, Teacher/Administrator last name, Teacher/Administrator email address, Teacher/Administrator ID – OPTIONAL. The information above is required to assign a grade to a particular student in a class taught by a teacher.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally hosted solution.
  9. Describe the administrative, technical, and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Gradecam servers are hosted within SOC2-compliant data centers and require multiple factors of authentication to gain access to the data center and server cage. Individuals who are authorized to enter the data centers are very limited and is restricted to those responsible for operating the infrastructure. Gradecam also utilizes firewalls and RBAC based controls to limit the ability to connect to systems housing PII data. All data is encrypted both in transit and at rest using industry standard algorithms. Access to the database systems requires, in addition to a valid username and password, a valid certificate from an internal certificate authority (CA) which is strictly controlled.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, the Entity agrees that PII will be encrypted using industry-standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Great Minds PBC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Great Minds PBC seek to ensure that all students in America’s public schools, regardless of their circumstances, receive a content-rich education in the full range of the liberal arts and sciences, including English, mathematics, history, the arts, science, and foreign languages. Great Minds does this by working with teachers, scholars, and schools to create curricula and instructional materials, conduct research, and promote policies that support a comprehensive and high-quality education.

    Great Minds Digital Platform may be used by schools, school districts, or teachers in a classroom setting use as part of their selected educational curriculum.Within the Great Minds Digital Platform, teachers have access to curriculum materials, within-application reports and visualizations to help them assess student learning and to assist in planning. Administrative reports and data extracts are also available to district and school admin users. Students may access complete assessments and other activities their teacher has assigned to them.

    Great Minds digital products are hosted by Great Minds in the Amazon Web Services (AWS) cloud, in US-based data centers. Students and teachers access our products through the web browser. Ours is a multi-tenant solution. We ensure isolation of data through secure coding practices, industry-standard claims-based authorization techniques, and routine penetration tests. We support multiple integration options to authenticate and authorize users of our digital products.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data, including customer PII, is encrypted at rest and in transit using industry-standard encryption. Data is stored in AWS (Amazon Web Services) data centers, which have stringent physical security standards in place. More information on the physical security controls in place can be found here: https://aws.amazon.com/compliance/data-center/controls/. We have multiple administrative safeguards in place to protect access to PII. Access to sensitive information is restricted to those with valid business justification for doing so and only on a temporary basis. We also have automated systems in place that scan our infrastructure and our logs for any anomalies that could indicate a security event, as well as looking for potential vulnerabilities. Potential vulnerabilities or security incidents are alerted to our DevOps team via multiple channels and action is taken as appropriate.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Groundswell Community Mural Project, Inc

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: 5/15/2021
    Contract End Date: 5/14/2026
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Appropriate data is only collected and utilized for the expressed purpose of educational needs in providing the most effective programming to the constituents receiving programming services through Groundswell. Only basic statistical data will be collected and utilized internally by those individuals who are permitted and whose job duties require the data to evaluate overall program performance and development.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Groundswell Community Mural Project, Inc., together with its IT Service Provider shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all student communications and component network activities relevant to the incident or breach.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Grouptrail

  1. The exclusive purposes for which Protected Information will be used: NYC DOE Bridge for All Program.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  There is no sharing of the student data by Grouptrail for NYC DOE Bridge for All. If there was, we will have the subcontractor sign an amendment to our agreement that includes these data protection and security requirements required by this non-disclosure agreement with the NYC DOE.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:  Upon termination of our relationship with the NYC DOE related to this agreement, the protected information is deleted. Decommissioned media utilizes techniques detailed in NIST 800-88. [NYC DOE comment: The current agreement became effective starting on June 26, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which FMYI, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is stored in the US. 
  6. How the data will be encrypted (described in such a manner as to protect data security):  SSL for data in transit, network firewall, and encryption at rest.