Vendors A-H

21st CentEd

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2022 - 2/1/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 21stCentEd’s online educational services collects contextual or transactional data as part of its operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). This metadata is not linked to FERPA-protected information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The 21stCentEd Data Security Plan (DSP) details procedures implemented at the administrative level to protect private information such as training personnel on information handling best practices. The DSP also outlines the physical protections implemented for protecting private information such as ensuring paper records and servers are secured and access-controlled. Lastly, the DSP includes 21stCentEd’s technology-based instruments and procedures used to protect private information such as requiring Common Access Cards for System Access and encrypting computers and emails.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

22^nd Century Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term Start Date: 7/1/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Providing staffing services to NYCDOE Borough/Citywide Offices/Central Office as needed. 22^nd Century employees may access PII through the performance of specific duties.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. 22^nd Century is an ISO 27001 certified vendor. It uses Microsoft Azure as its IT cloud hosting provider. Microsoft Azure is ISO/IEC 27001 certified and therefore 22^nd Century inherits all the physical security controls from Microsoft Azure. In addition, 22^nd Century provides its staff IT Security Awareness and Threat Management training once upon onboarding and annually thereafter. 22^nd Century has deployed Intrusion Prevention and Intrusion Detection controls for safeguarding its IT systems. Systems are audited internally on an annual basis and are compliant with the NYC DOE IT Security standard established. The SMTS system used to manage the contract implements role-based security ensuring that access to information will be granted on a need-to-know basis. The system employees industry standard data security controls such as data encryption both at rest and transit; media protection and sanitization; incident management; account management and password policies; secure coding practices as per OWASP and SANS guidelines. 22^nd Century has deployed data loss prevention system to limit and prevent accidental leakage of information.

22^nd Century will conduct onboarding training for all employees and temporary employees ensuring the confidentiality requirements and duties and obligations regarding safeguarding confidential information is understood. Routine training will be conducted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

3P Learning (for Mathseeds and Reading Eggs)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/8/2023 – 11/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Mathseeds and Reading Eggs programs provided and owned by 3P Learning, allows students to conduct online math and literacy related activities while teachers can view the results of those activities in their respective portals. PII information is required in the form of student first and last names, so that the teacher can uniquely identify the students within the system. Only the teachers/admin users with access to specific classes can see results for their students. We do allow for pseudonyms to be used instead if this is the preference of the customer.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “At end of contract data will remain in our systems for a 60-day period of time (Per request of the DOE, this time can be adjusted) in case the customer wishes to re-activate and continue to utilize the product. All data will be destroyed after the 60 day period. If the customer wishes to have their data removed prior to this 60-day period, they can email privacy@3plearning.com as an authorized representative from the school or district, at which point all relevant information will be provided to the customer in a CSV format and then the data will be destroyed and deleted.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data Center is ISO27001 certified. Least Privilege, RBAC, MFA etc. The customers PII is safeguarded by 3P Learnings data protection policies. These include but are not limited to:

• Classifications of the data
• Privacy impact assessments (PIA's)
• Regular privacy training to all employees
• Firewalls/ instruction prevention systems
• ISO 270001 certified hosting systems
• Established data protection practices
• Encryptions for data in transit and at rest
• Regular Pen testing and vulnerability scanning/Audits. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

95 Percent Group

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The One95 platform supplements and extends the print offerings of 95 Percent Group with digital content and assessment capabilities focused on language learning and literacy. PII is necessary to make student accounts, provide assessments, track student progress, and develop programs for specific students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., MongoDB Atlas database service hosted in the Microsoft Azure public cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative Safeguards: We have established a robust data privacy policy and a team responsible for its enforcement. Our personnel are regularly trained in data protection practices and the importance of safeguarding PII. Access to sensitive data is restricted to authorized individuals with a need-to-know basis, and we maintain a strict access control policy.
• Technical Safeguards: Our data is stored in, encrypted databases with access controls based on role and permissions. We employ advanced intrusion detection and prevention systems to monitor for unauthorized access and potential threats. Regular software patching and updates are performed to mitigate vulnerabilities. We also employ strong encryption protocols to protect data in transit.
• Risk Mitigation: We conduct regular risk assessments and vulnerability scans to identify potential threats and vulnerabilities. Any identified risks are promptly addressed through remediation plans. In the event of a data breach, we have an incident response plan in place to minimize the impact and notify affected parties as required by law.
• Third-Party Assessments: We annually engage third-party security experts to conduct independent assessments of our security practices and protocols. These assessments help ensure the effectiveness of our safeguards and identify areas for improvement.
• Continuous Improvement: Our commitment to data privacy and security is ongoing. We continuously monitor and adapt to evolving threats and regulatory requirements, updating  our safeguards and practices as needed to maintain the highest level of protection for PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Abbott House

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Community Schools Resource program of Abbott House provides both PS294 and PS311 with Mental Health services, community engagement initiatives, and family support. We provide in-school individual and group counseling to students with mental health challenges. We not only help students in school but help families bridge the educational gap with attendance initiatives, connecting them to resources in our community, applying for public assistance and advocating for the needs of their family. We use PII to contact families to receive our services and connect them to the school community. Additionally, PII is used to inform our decision making when targeting vulnerable populations that may need our assistance such as students with low attendance rates or students in temporary housing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., ASARA Fulton Street Software.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Entity has a data privacy and security policy in place that implements principles, processes and solutions that facilitate secure business operations related to data privacy and security. The policy is reviewed frequently to manage the new challenges and requirements of the funding sources. This policy identifies the categories of attack surfaces (cyber-attack vulnerabilities), path by which cyber-attacks are enacted and the processes or technologies used to prevent these attacks and protect Abbott House information assets. The following areas are managed by advance technologies, constant monitoring and various physical/technical and administrative controls to ensure protection against data breaches and cyber attacks.

• Network Security/High Availability
• Web Content Filtering/IPS
• Anti-Virus/Anti-Malware
• Anti-Spam/Phishing
• Access Control
• Data Encryption
• Email Security/Encryption
• Patch Management
• Data Backups/Testing
• Mobile Device Management
• Secure Wi-Fi
• Print/Fax Security
• System Disposal
• 3^rd Party Security Audits
• BC/DR Plan
• Cyber Security Awareness Training
• Cyber Liability Insurance

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Abrahams Consulting

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Abrahams Consulting Consultants will provide the DOE with staffing augmentation, managed services, hardware and software support, installation, and other support services for various DOE programs, particularly MWBE specific projects and programs. Our services encompass a wide array of roles, including but not limited to: IT Engineer, DevOps, Software Architects/Lead Developers, UI/UX Designers, Data Analysts, Project Managers, Cloud Engineers, Cloud Architects. These services are tailored to support various programs within the DOE, including MWBE-specific projects and programs.

We will not hosting or storing personally identifiable information (PII) data. Based on the requirements of the positions for which our staff are required, PII may be accessed and necessary to troubleshoot issues, provide adequate support, and develop initiatives as requested by the DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: We will not be hosting or storing data.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative measures involve assigning responsibilities to key personnel, conducting regular testing, and overseeing compliance. Technical safeguards include firewall protection, malware detection, encryption of emails and stored data, and secure user authentication protocols. Physical controls encompass restricted access, secure storage of records, disposal procedures, and monitoring of systems for unauthorized use. AC also outlines internal and external risk mitigation strategies, ongoing risk assessments, incident management protocols, and compliance monitoring procedures, emphasizing employee training and reporting obligations to ensure the security and confidentiality of PII and mitigate potential data privacy and security risks effectively.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Academics in Motion

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will compare student data before our programing and during our program to see the students improvements pertaining to academic progress and attendance results, only. We will provide Academic Support, SEL and Life Skills workshops, wellness activities and college and career resources.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. AIM PII data is reported to and stored in AIM database which uses usernames and passwords to prevent unauthorized access and to restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Data is stored using redundant Amazon Web Services hardware technologies and SSG fault tolerant software and journaling file systems. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system. To prevent breaches the AIM database conducts continuous vulnerability scanning, integrated security code scanning, and penetration testing. In the event systems are affected by a breach, it is their policy to notify without undue delay, and in no case greater than 48 hours, from the confirmation of a data breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Acadience Learning Inc. (ALI)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: Nondisclosure agreement was signed on 6/25/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose for which ALI will receive/access PII is to provide online assessment and data management services for Acadience assessments and for psychometric and research services which may be called upon by NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Acadience Learning Online (ALO) system follows industry-standard best practices to ensure that all system data, including data containing PII, is secure and protected at all times. Technical security protections include, but are not limited to: encryption of data in transit and at rest, use of US based servers, proactive monitoring of network access, and regular security testing and review of results. ALI takes a proactive stance on mitigating data privacy and security risks by utilizing strong security procedures and protocols.

Additionally, ALI upholds rigorous internal policies to ensure that employees with access to data containing PII follow strict procedures related to the handling and management of sensitive information. Employees with access to sensitive information must first complete required training before gaining ALO system access, and system access is limited to employees who need access to the information to complete job duties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Accelerate Learning (for STEMscopes, Math Nation)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is utilized solely for application operations and curriculum interaction by students and teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Accelerate Learning (ALI) implements cybersecurity practices and requirements based upon CIS’s well-established Controls and Benchmarks that are compliant with the federal standards in the Federal Information Security Management Act (FISMA) in NIST Special Publication 800-53 Revision 5, published September 2020. We implement authentication, authorization and accounting (AAA) based on these controls following a least privileged model. Additionally, ALI utilizes leading industry tools to monitor, restrict, and secure information resources and sensitive data. The fundamentals of our security operations include:

• Passwords and Employee Access. Accelerate Learning Inc secures all usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. ALI only provides access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances.
• Destruction of Data. Accelerate Learning Inc destroys or deletes all Student Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained.
• Security Protocols. Accelerate Learning Inc utilizes security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so.
• Employee Training. Accelerate Learning Inc conducts periodic security training to those of its employees who operate or have access to the system.
• Security Technology. When the service is accessed using a supported web browser, Accelerate Learning Inc employs industry standard measures to protect data from unauthorized access. The security measures include firewalls, deep packet inspection, application stream analysis, restrictive load balancing, network segmentation, network ACLs, data transit encryption utilizing TLS 1.2 with 2048-bit certificates, data at rest encryption utilizing 256-bit AES encryption, log aggregation and analysis, vulnerability management and remediation process, application authentication, server authentication and administrative authentication following least privileged access.
• Periodic Risk Assessment. Accelerate Learning Inc conducts regular digital and physical risk assessments and remediates any identified security and privacy vulnerabilities in a timely manner.

We adhere to the following standards, laws, and certifications:

• NIST Cybersecurity Framework v.1.1
• NIST SP 800-53 Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), SP 800-171
• ISO 27000 Series
• Center for Internet Security (CIS) Critical Security Controls (top 20)
• Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
• Children's Online Privacy Protection Act (COPPA)
• Protection of Pupil Rights Amendment (PPRA) 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Access411 (also called Morrison Consulting Inc)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2019 – 6/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAASS is a school safety solution that issues ID cards for students to access schools, classrooms, gyms, auditoriums, etc. based on their registered school and classes. For example, if a student attempts to enter the cafeteria when they don’t have lunch during that period, the ScanStation attendants are alerted to prevent the student from entering the cafeteria. CAASS users have the option to add/import student suspension data, so ScanStation attendants are notified when a suspended student attempts to enter the building during their suspension. CAASS also sends guardian notifications on student arrival time and departure times if guardians choose to register through our mobile app, CAASS Notify. School users can also track student attendance based on entry/exit times and run reports to identify school and student attendance trends (chronically absent or tardy). Additionally, CAASS also has Event Scanning functionality for schools to manage students who can attend certain events and post-event reports based on when each student arrived and departed. Schools can also issue staff ID cards as well and use ScanStations to track when staff members arrive/depart.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Zerto Virtual Replication to Azure via a VPN tunnel for backup solutions (State side only).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Morrison Consulting Inc. implements administrative, technical, and physical safeguards to ensure all PII is protected 24 hours per day, 7 days per week.

Technical safeguards are implemented for 24/7 security, including but not limited to:

• Software Vetting Process
• Patch Management
• Cybersecurity and System Monitoring
• Penetration and Vulnerability Tests
• Firewalls, Data Encryptions, Password Protections
• Disaster Recovery Solutions and Backup Protections
• Incident Response Procedures
• Change Control Procedures and Protections

Administrative and physical safeguards are also implemented, including but not limited to:

• Employee Vetting and Clean Desk Policies
• Physical Building Security and Protections
• Continuity of Business Plans
• Acceptable Use Policies

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Achieve3000, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Achieve 3000, Inc. offers multiple products that will collect Personally Identifiable Information (PII) including: Actively Learn, Actively Learn Unlimited, Achieve3000 Literacy, Achieve3000 Literacy with Boost, SmartyAnts, Achieve3000 Math, eScience3000, and NWEA MAP Informed Learning Path.

Achieve3000, Inc. will use personally identifiable information (“PII”) to provide the educational product or service subscribed to by a DOE institution or to process transactions such as information requests or purchases in order to meet our contractual obligations to the DOE institution that has subscribed to our products and services . We will also process DOE PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to DOE; to maintain and improve our services to the DOE; to generate and analyze statistics about DOE use of the services; and to detect, prevent, or (if permitted by law) to respond to fraud, intellectual property infringement, violations of law, violations of our rights or our terms of use for Achieve3000, Inc. online products and services, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of DOE PII to deliver the service or information requested by DOE.

• Actively Learn- Actively Learn gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction
• Actively Learn Unlimited - Actively Learn Unlimited gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction, plus an additional 6,500 copyright books from publishers including Penguin Random House, HarperCollins, Simon and Schuster, and HMH.
• Achieve3000 Literacy - Achieve3000 Literacy is a digital learning solution that accelerates literacy growth for all students through differentiated content and instruction. A wide body of research, including a gold standard study with a rating of Strong from Evidence for ESSA, has shown Achieve3000 Literacy can double and even triple expected learning gains
• Achieve3000 Literacy with Boost- For targeted and intensive intervention, Achieve3000 Literacy with Boost for Intervention accelerates the literacy gains of students who need additional supports and services. Achieve3000 Literacy’s suite of classroom-tested scaffolds for students and supports for teachers, combined with Achieve3000’s patented methodology and world-class technology, deliver a successful RtI implementation with results that you and your students can see after a few as four lessons. Plus, with Achieve3000 Literacy’s focus on nonfiction science and social studies content, as well as academic vocabulary, intervention students do not miss out on essential grade-level, standards-aligned instruction while engaged in Tier II, Tier III, or Special Education instruction during targeted instruction in the general classroom or intensive intervention in a specialized classroom.
• SmartyAnts - Smarty Ants is an effective, research-driven solution that differentiates instruction in foundational reading skills and accelerates student achievement – all in an engaging, interactive, online learning environment. The program continuously evaluates each student’s exact skill level, learning temperament, and learning pace. Based on this information, the adaptive content system automatically delivers the right level of skill instruction and practice to keep learners in the zone of proximal development. No two students will approach the content or process in the same manner, but they all will reach the same critical milestones for primary-grade literacy success and emerge as confident, capable readers ready for the challenges of second grade and beyond.
• Achieve3000 Math - Achieve3000 Math offers a powerful experience to support math fluency and skills mastery across grades, standards, and topics. The solution includes individualized practice and intervention for math standards mastery for elementary, middle, and high school learners.
• eScience3000 - Core science program for grades 6-8
• NWEA MAP Informed Learning Path - Achieve3000 offers access to the Northwest Evaluation Association (NWEA™) -MAP Informed Learning Paths. MAP Informed Learning Paths use MAP assessment data and Achieve3000 data so that Achieve3000 user can create a personalized and differentiated learning path for each student. Teachers can easily see each student’s results by RIT ranges and assign lessons to address skill strengths and weaknesses. Instructional recommendations for each skill and concept further help teachers to differentiate instruction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Achieve3000, Inc. utilizes the most up-to-date security systems and 24/7 monitoring. Achieve3000, Inc. also has very strict internal processes to safeguard customers’ data, and all applications are built in compliance with federal regulations including FERPA. System penetration testing, vulnerability management and intrusion prevention is managed in conjunction with our third-party infrastructure provider. The application logs security-relevant events, including information around the user, the date/time of the event, type of event, success or failure of the event, and the seriousness of the event violation. User authentication communication and storage is protected by 256-bit advanced encryption standard security. Achieve3000, Inc. employs Role-Based Access Control (RBAC) and Principle of Least Privilege (PoLP) when provisioning access to its infrastructure and technology. All access follows approval flows, logged, and audited. The Achieve3000, Inc. Cybersecurity and Privacy Teams maintain a 24x7 security incident process and a confidential Incident Response Plan, along with standard operating procedures for handling security incidents and notifications. The infrastructure which hosts Achieve3000, Inc.’s digital products reside in AWS, which is physically located in Amazon’s datacenters, which are all SOC 2 compliant.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Achievement Network

The exclusive purposes for which Protected Information will be used: The information collected is first used to enable access to ANet’s online platform, myANet, which provides resources and reports for District and Schools leaders. These data also allow ANet coaches and school leaders to understand student performance on interim assessments administered. These learnings then enable ANet to provide the appropriate guidance and best practices to boost student learning. Additionally, we also occasionally use anonymized, aggregated student response data to inform our own internal analyses of the efficacy of our services and tools.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: ANet and our partners are considered to be a “School Official” under FERPA. Access to data reports that include more granular student data can only be accessed through our secure data reporting platform. Any individual or non-aggregated student data is available only to that student's school leaders and teachers, not to other educators in the network.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: ANet typically retains all data collected. In the event that a partnership with ANet is concluded, user access to the myANet platform will be terminated on a mutually agreed upon date. This ensures that the data collected for that partner is no longer available to other schools within the district that utilize the platform. [NYC DOE comment: The current agreement became effective starting on December 20, 2019 and terminates when all NYC DOE schools and/or offices cease using The Achievement Network’s products/services. The terms of the agreement remain effective through the period during which The Achievement Network possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Our data and servers are part of AWS and are housed in US-based AWS data centers. https://aws.amazon.com/compliance/data-center/controls/. At our offices we do not have any servers.

How the data will be encrypted (described in such a manner as to protect data security): Applications communicate with RDS databases within a secure Virtual Private Cloud (VPC) via Transport Layer

• Security version (TLS) 1.0 and 1.2.
• AWS RDS encryption at rest with KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate
• AES-GCM 256-bit keys.

Activate Learning (also called SASC LLC)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are providing licenses for the digital edition of our k-12 science programs. Our middle school and high school interactive science curricula require student first name, last name, email address and student ID. For teachers we require first name, last name, email address and teacher ID. The purpose of this information is for account creation and integration with applicable learning management systems.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not sure PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All communications between the user and the system are performed via SSL. All information stored either at rest or in transit is encrypted . Additionally, all Activate Learning personnel with access to PII have passed a background check. Activate Learning employs a robust backup and security strategy which includes daily backups and industry-compliant WORM (Write-Once-ReadMany) archival storage. Additionally, all backups are encrypted and locked.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Actively Learn Inc

Adobe

The exclusive purposes for which Protected Information will be used: The NYCBOE uses Adobe products and services for its students in the K-12 school environment. Protected information (as defined in the Additional Terms) will be provided to Adobe and used by Adobe for the purposes of providing such student services to the NYCBOE and its students under the agreement between Adobe an NYCBOE. [NYC comment: Adobe refers to the New York City Department of Education as NYCBOE throughout the agreement.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event that Adobe engages subcontractors or other authorized representatives to perform one or more of its obligations under the agreement, it will require those to whom it discloses protected information to be subject to contractual data protection terms at least as restrictive as those set forth in the agreement, and those subcontractors or other authorized representatives shall have a legitimate need to access protected information in connection with their responsibilities in providing services to Adobe.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The initial term of the agreement with the NYCBOE will be thirty-six (36) months from the effective date. Upon expiration of the additional terms without renewal, or upon termination of the additional terms prior to expiration or termination of a student account, Adobe will adhere to the student data retention and deletion protocols agreed to with the NYCBOE and set forth in Seton 5.4 of the Additional Terms of the Agreement. [NYCDOE comment: the Agreement was signed and put into effect on February 28, 2022.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to Section 6.3 of the Additional Terms, Adobe will work with the NYCBOE to process requests for copies of, and challenges to the accuracy of, protected information in the custody or control of Adobe. Such requests should be directed to the NYCBOE at studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Any protected information Adobe receives will be stored on systems in a secure data center facility. Adobe processes and stores information in the U.S. and other regions, which made include Europe and Japan. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

How the data will be encrypted (described in such a manner as to protect data security): Adobe uses technologies, safeguards and practices, including, but not limited to, encryption, firewalls, password protection, and/or equivalent that are consistent with its industry standards. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

Advanced Assessment Systems (also called LinkIt!)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. “Typically, agreements are 1 year in duration, beginning on July 1 and ending on June 30 the of the following year.”

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LinkIt! will receive PII data related to student assessment records, including student names, IDs, and demographic information. Additional student records, such as attendance, behavior and programmatic associations may also be sent to LinkIt! All such data shall be used and maintained as a service to school and district stakeholders authorized to access the same and exclusively for the purposes of analyzing the data for instructional improvement, professional development and resource allocation purposes, as well as other such purposes as the district may deem necessary and appropriate.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “LinkIt! leverages industry-leading provider AWS (Amazon Web Services) for data hosting and posts regular and frequent security updates. Access to data is limited to those individuals that require such access in the reasonable performance of their job function and all staff receive annual training in the area of privacy and security.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards in place to protect PII data are too numerous to fully detail here, but data and files are stored securely on the industry-leading Amazon (AWS) hosting platform. Data is also encrypted on our platform, both in transit and at rest. The LinkIt! data and security model follows best practices and consists principally of the following:

• Physical Security: Web servers, data servers and network data storage are on servers maintained by AWS. We perform full daily backups and hourly incremental backups which are stored offsite in the event of a disaster. The data center is located in a secure area with restricted onsite access.
• Data Security: LinkIt! utilizes industry-leading Microsoft SQL database that enables encryption in transit and at rest. Electronic access to database servers is restricted through dedicated web servers on a local network. This provides an effective barrier against attempts to directly compromise database integrity.
• Web Security: Our web layer consists of a passcode encrypted web service with enforced business logic. The business logic restricts user activity based upon permission level such that data access is limited to role within the LEA organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

After-School All Stars

Type of Entity: Community Based Organization

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. After-School All Stars of New York will provide community school support services (including community school implementation; family and community engagement work; organizing support for school sites; expanding learning, enrichment, and youth programming) through which the entity will have access to PII. Access to student PII is required to develop programming, contact parents, and allocate necessary support to students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Access to student records are limited to only those employees performing services for DOE.
• Physical data is securely stored and never leaves the site.
• All employees undergo training, including understanding their responsibilities and obligations under FERPA and New York Education Law 2-d.
• ASAS employees are also required to sign confidentiality agreements protecting your child’s privacy and disclosure of student records.
• ASAS also maintains an incident response plan and team to handle any potential security breaches involving ASAS Services and records in its possession.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Age of Learning (for My Math Academy and My Reading Academy)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect and use PII for the purpose of providing our services My Math Academy and My Reading Academy, both of which are adaptive digital learning programs for students. We do not use PII for any other purpose. Student information is provided in order to track the students progress within the products and to provide reporting to the teacher, school, and district.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The vendor has policies and procedures in place to ensure safeguarding practices are in place. This includes the protection of data from corruption, theft, or unauthorized access.

• Data Access – Age of Learning practices the principle of least privilege. Access is provided based on role and granted when necessary to fulfill the requirements set out by the contract.
• Account Protection - Single Sign-On (SSO) and a strong password is required.
• Encryption – All data is encrypted in transit and at rest.
• Monitoring – Age of Learning products are continuously monitored for vulnerabilities by employees and through state-of-the-art third-party monitoring tools.
• File Transfer Protocol – All file transfers are secure over SSL/TLS cryptographic protocol.
• Web Application Firewall (WAF) – Inspects and filters traffic between Age of Learning products and the internet.
• Software Security – Product development is based on OWASP, SANS, NIST, CSF, CIS, SCF frameworks.
• Audits – Annual SOC 2 audit and third-party penetration testing are performed for additional security awareness.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Agile Mind

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Agile Mind provides comprehensive math and science programs for middle and high schools via a web-based application that allows teachers to plan and deliver educational material to classes of students. To that end, we store PII to maintain login accounts and a class roster of students and teachers. The class roster is provided by NYC and is used to associated students with the expected classes and teachers in order to review the provided material and assess student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All employees are required to complete PII training yearly. Administrative tool logins are limited to only necessary personnel, and those logins have varying levels of access to keep scope of available data as small as possible. Not only does the admin tool require login, but it is behind a VPN requiring yet another, different set of credentials to gain access. All login credentials are modified accordingly when people change roles and disabled during the off-boarding process when leaving the company.

Data is protected using encryption, both in motion and at rest. All data is served via HTTPS, the industry standard for transmitting data over the internet. All data is stored in a database using data at rest encryption. The data itself is segregated into multiple, separate schemas so there is a clear and distinct boundary between data belonging to different partners. Databases and servers are housed in a modern, secure colocation   data center with physical security; inclusion on a named access list for visitors is required for access to the server cages.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Air Tutors

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Air Tutors is an online tutoring program that uses engaging expert tutors to provide students with live face-to-face tutoring in a one-on-one or small group format. Students are grouped together by shared school, class, teacher, and subject area of need. We support students in all grade levels from K-12 (ages 5 through 17) in Mathematics and English Language Arts. Personal Identifiable Information is used to create separate student and parent user accounts, track student progress in the academic subject of focus, monitor student attendance, connect students to the appropriate tutor based on individual needs, and notify students and parents of their tutoring sessions.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All tutors and internal staff undergo training to ensure an understanding of the importance of safeguarding, and proper use of, parental and student personal information
• Tutors only have access to the information for students they are paired with
• Phone numbers are optional and no tutor will receive unmasked phone numbers
• All parent information is optional and can be removed by the parent or upon request
• Student school email address is used
• Once a tutor is no longer working with a student, their access to that student’s information is removed
• At the conclusion of the partnership with a NYCDOE school or office, all personal information is removed from Air Tutors’ system
• Monthly security scans ensure the safety of personal information
• An incident response plan that adheres to NYCDOE standards is in place should any breach occur
• Tutors undergo annual security training ensuring proper care and protection of data
• The Air Tutors Application is protected by a web application firewall
• All traffic to and from the Air Tutors platform is encrypted 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Alchemer, LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alchemer offers a survey tool as a hosted service to its customers. Alchemer does not have direct access to our clients data/information. Only if it’s shared by the end user at NYC DOE. Alchemer is a survey/data collection tool. Questions & responses recorded are for NYC DOE only. Alchemer does not collect data on behalf of their clients. Alchemer just provides the platform for data collection. If any PII is collected, it’s not shared or seen by Alchemer. Just the DOE.

Type of PII that the Entity will receive/access: Other: If PII is collected, it’s done by NYC DOE, and the NYC DOE would determine which types of data it collects. The Alchemer service is designed to function without the need for customers to provide PII and if the service is used in this way, no Student PII or APPR PII would be processed by Alchemer. If NYC DOE decides to collect that sort of information then it would. This would depend on the survey responses provided. Alchemer does not have direct access to any PII information. This is solely for NYC DOE and their respondents.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Alchemer has SOC 2 Type II and ISO certificates. We also run regular penetration tests and these results can be found within the user’s platform. Given data privacy laws, Alchemer does not have direct access to the DOE’s account. Only licensed users, who cannot share licenses, as this is a violation of our Terms & Conditions, have access to any student information..

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Alegra Learning (for Joy School English)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 - 7/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alegra Learning, Inc. is the creator of Joy School English. Joy School English is a software program for elementary aged students (PreK-5) that focuses on oral language production, early literacy and social and emotional learning (SEL). Joy School English is accessible on iPads, tablets, mobile devices, Chromebooks and computers. Upon starting the program, students follow an individualized scope and sequence that takes them through the research-based curriculum. The curriculum is aligned to the NY State PreK and Kindergarten learning standards. Joy School English uses voice recognition technology where kids use their own voice to explore and advance to encourage speaking and oral language production. Joy School English also provides resources for teachers including data and progress monitoring, an interactive teacher menu to use in small/whole group instruction and teacher lesson plans. Joy School English is accessible from home so students can continue their learning pathway from home and the program serves as a great resource for parents. Student PII is used to create a unique student account for each student so that they can receive individualized instruction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is hosted via Amazon Web Services (AWS), which is a robust and secure service to host data (https://aws.amazon.com/compliance/data-privacy/). In addition to all of Amazon’s protocols, all data in our portal is password protected and only accessible with those authorized to do so. We use Role-Based Access Control (RBAC): RBAC assigns specific access permissions based on the roles or responsibilities of users within an organization. Users are granted access only to the resources and data necessary to perform their job functions.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

All In Learning, Inc  

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2020 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Product: ALL In Learning is a cloud-based formative assessment platform providing in-the-moment and summative assessment data collection utilizing a variety of collection modes (clickers, student devices, bubble sheet scanning, and even teacher-graded rubrics). Our reporting supports improving the teaching and learning process in the classroom as well as provides student performance insight at every level (classroom, campus, and district).

Purpose for using PII: ALL In Learning will utilize some PII for Teachers and Students for the purpose of rostering for administering and reporting on formative assessments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. The vendor specifies that “We store our data in AWS/Aurora databases. The data is encrypted in transit and at rest. These databases are not shared resources with their other clients, nor is the data shared with AWS. It is not a cloud database.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ALL In Learning application data is stored in an Amazon Web Services virtualized environment. Data is always transmitted encrypted and stored encrypted. We have data access restriction policies in place within the ALL In Learning development and support organizations.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

American Institutes of Research (AIR)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 1/1/2024 – 12/31/2028.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. AIR will provide program evaluation and related services for the New York City Department of Education (NYCDOE). We collaborate with districts to develop a shared understanding of program goals and desired outcomes, and this shared understanding then informs all phases of instrument development, data collection, analysis, and reporting. The conditions under which PII may be required include the following:

• When it is necessary to link information about study participants across data sources.
• When it is necessary to contact study participants, including participation in data collections such as interviews, focus groups, or observations.

Type of PII that the Entity will receive/access: Student PII. “Evaluations may obtain administrative information about staff, such as teacher attendance or licensure information.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII subject to protection under BOE “Parent’s Bill of Rights for Data Privacy and Security” will be stored and processed in a secure Data Enclave designed to meet government and industry security safeguards. The Data Enclave is an enterprise-class system maintained in a FedRAMP-certified cloud datacenter that provides researchers access to a secure environment to process, store and analyze data. The Data Enclave was designed to protect the confidentiality and integrity of sensitive data and PII. The security controls in place are based on industry standards and best practices, including numerous NIST standards, such as NIST SP 800-171 (Protecting Controlled Unclassified Information).

Administrative and Technical Safeguards

• Access Control - Logical access controls are deployed as part of a defense-in-depth architecture. These controls follow the principles of least privilege and separation of duties. This is coupled with mature account management procedures and strong authentication mechanisms to strictly control access to sensitive data.
• Security Awareness and Training - All users are required to attend information security awareness training, and system administrators receive specialized security awareness training. This training is refreshed on an annual basis. This is augmented by an email phishing assessment program on a continuous basis.
• System Auditing and Monitoring - All security logs are forwarded to a Security Information and Event Management (SIEM) system that is actively monitored by 24x7 SOC that is operated by a team of dedicated security professionals. Data from the security logs are indexed and correlated to monitor system integrity and facilitate incident response searches and event analysis and to support after-the-fact investigations.
• Security Assessment and Authorization - Internal audits are performed annually on the Data Enclave to ensure compliance with NIST SP 800-171. In addition, the Data Enclave has undergone an external, independent assessment by a federal agency.
• Identification and Authentication - Strong password and authentication policies are required and enforce settings such as multi-factor authentication, minimum password length, password complexity, password expiration, uniqueness, minimum age, failed login attempts, and account lock outs.
• Data Governance - The Data Enclave is designed for the full data lifecycle, including intake (acquisition) to closeout (disposition) that can include data destruction, if required. Data groups are inventoried, classified, and catalogued using a data governance system to ensure there is proper governance over the lifecycle of the data. Data destruction is performed in accordance with NIST SP 800-88 using cryptographic erasure, ensuring proper disposition, and making the data irrecoverable.
• Security Planning - Project-level information security plans define the boundaries and security category of the NYC DOE PII. These plans provide a description of the appropriate security measures commensurate with the sensitivity of the data (e.g., administrative controls, authentication, access controls, use of encryption, and sanitization and retention).
• System and Communications Protection - The Data Enclave employs next-generation firewalls with advanced intrusion prevention and boundary protections. Data flows are controlled through a deny all by default approach, allowing only approved connections to specific resources. Encryption is applied to protect data at rest and in transit using industry standards that are compliant with Federal requirements.
• System and Information Integrity - Flaw remediation procedures identify standards and processes to identify and remediate system flaws and vulnerabilities. These procedures define roles and responsibilities regarding flaw remediation in response to vulnerability scans, web application testing, and vendor notifications. The Data Enclave is protected by malware mitigation at the perimeter and in the Data Enclave.
• Supply Chain Risk - Risks associated with weaknesses in the software supply chain are measured and continuously monitored in accordance with supply chain risk management policy and procedures. These are based on industry and government frameworks. The software inventory is maintained and monitored to assess and reduce risk related to weaknesses in the vendor supply chain.

Physical Safeguards

• Physical Security and Environmental Protection - The Data Enclave is physically located at a hardened, cloud provider datacenter under FedRAMP authorization. Access control to these facilities employs combinations of physical and biometric controls with video surveillance. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Amplify Education, Inc. 

Aperture Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Aperture will use PII to administer student social and emotional assessments to be completed by students, teachers and (optionally) parents. PII will also be used in reporting (e.g., to disaggregate data by subgroup).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Aperture Education considers security of PII to be of utmost importance. As such, we follow a rigorous security policy which includes, but is not limited to, third party penetration and security testing, annual security training of all of our employees, completion of background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role. Please see our security policy for more information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Applied Curiosity Research, LLC

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 2/1/2022 – 1/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are conducting a mixed-methods, implementation evaluation of a pilot program with students from two NYC schools. The pilot program occurs for five weeks over the summer and consists of a blend of classroom instruction from DOE teachers and community-based organizations as well as work-based learning. The focus of the pilot program is promoting computer science skills and knowledge while exposing students to careers in related fields. Research participants include participating students, teachers, and select agency stakeholders. The goals of the evaluation are to collect evidence of student outcomes, understand barriers and affordances to program implementation, assess the extent to which activities are completed as intended, identify best practices, and inform effective scaling of the program.

Methods include student pre/post surveys administered in class, student focus groups, teacher in-depth interviews, and in-depth interviews with key stakeholders.

The only PII we will collect is student and teacher names during the consent process. Consent is critical to ensure participants understand their rights as a research participant, including that the research is voluntary and how their information will be handled. Consent is also a mandatory requirement for NYC DOE IRB.

Type of PII that the Entity will receive/access: Student PII. We may collect student, parent, or teacher names on consent forms. We may also collect student names for the purpose of focus group attendance lists. We will not, however collect student names that are attached to any academic or demographic data.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. The Entity selected “Other: We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.

Any PII will be kept secure and only used for study purposes, except as otherwise required by law. The study team will not disclose participant’s names or any personally identifiable information in any report or presentation.

De-identified consent forms, audio files, notes, survey data, and transcripts will be stored on a password-protected, encrypted cloud storage system accessible only by the project team.

After three years, we will delete and overwrite copies of all data and also wipe all blank space on the external hard drive to ensure there are no elements of the files retained on the drive.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Apptegy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The PII we receive or access in connection with our services is either provided by a school (referred to as a “Client”) in order to create or manage users under a Client’s account or is provided by such users in the course of using our services. Thrillshare is a content management system that enables Clients to: update or share information via their website or social media; communicate with parents, students, or other stakeholders through a messaging feature that can send voice calls, text messages, push notifications, or emails (referred to as “Alerts”); or communicate directly with stakeholders via an online chat feature (referred to as “Rooms”). PII shared for these purposes may include: personal information shared by a Client in order to create accounts for administrators, teachers or other personnel; contact information shared for the purpose of sending Alerts; or any PII that a user may include in any messages sent via the Alerts or Rooms features. Apptegy only uses such information for the purpose of providing the services. For more information regarding the purposes for which Apptegy receives or accesses PII, please see the Apptegy Privacy Policy (“Privacy Policy”) (available at: https://www.apptegy.com/privacy-policy/).

Type of PII that the Entity will receive/access: Student PII. “How Clients use Apptegy’s services may change over time. In such case, the PII that Apptegy will receive/access in order to perform its services may change or be supplemented. This is at our Clients’ discretion. If a parent of a student or other individual wishes to review a list of PII accessed pursuant to the services, the parent or individual should contact the applicable Client to confirm. For a more generalized description of potential PII received/accessed, please also see our answer to Question 4 above and our Privacy Policy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As indicated, Apptegy uses Amazon Web Services (“AWS”) to host and operate our services, and to host and process Clients’ data. AWS supports more security standards and compliance certifications than any other hosting provider, including ISO, SOC2, NIST, GDPR, PCI-DSS, and others. Comprehensive information about AWS security practices and certifications is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/. In addition to other means of ensuring privacy and security (including encryption, vulnerability monitoring and remediation, and Role-Based Access Control (RBAC) principles), Apptegy monitors and manages system access by AWS security groups and internal access controls. We review our AWS security group rules at least annually and update them as appropriate. Apptegy uses single sign-on (SSO) and HTTPS protocol where available and technologically feasible. Apptegy uses a virtual private network (VPN) for remote access to AWS and the parts of our services that contain Client data where available and technologically feasible. Apptegy has implemented multi-factor authentication for our production environment. Clients can choose to require multi-factor

authentication for end users. For more information on how we mitigate data privacy and security risks, please see our Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Arete Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Areté Education, Inc. is an organization that provides a range of educational services to students, educators, and schools. Such programming includes, but is not limited to: afterschool enrichment services, which includes educational and recreational activities, tutoring, professional development, educational consulting and family help services. Our programming requires PII in the form of program enrollment, attendance tracking and record maintenance for possible review and report generation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Cityspan Technologies Inc., Jotform and Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Arete has several administrative, operational and technical safeguards and practices in place to protect the Protected Information that we receive under the contract. This includes, but is not limited to:

• Arete limits access to authorized personnel who have a legitimate need for such access.
• Physical Protected Information is stored in locked filing cabinets with limited access.
• Digital Protected Information is stored on password-protected laptops and/or password-protected encrypted data storage websites with limited access.
• Any personnel handling Protected Information signs a confidentiality agreement and agrees to abide by the Employee Handbook, which contains additional confidentiality provisions.
• Arete leadership provides in person training on handling of Protected Information to authorized personnel.

All confidential information will be returned or destroyed upon termination of services unless required to comply with grants.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

ArtSmart

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ArtSmart provides tuition-free music mentorship by paid, professional artists to students in under-resourced communities across the US. Since 2018, ArtSmart has operated as a designated out-of-school time partner of the NYC Department of Education to provide these services at NYC Public Schools.

Through weekly sessions offered during the school day, ArtSmart students receive a level of music education and personal mentorship that would otherwise be inaccessible to them. We offer private voice and piano lessons through our One-On-One Mentorship Program as well as a group Vocal Theater Program. Our programs offer students barrier-free opportunities for skills training and personal growth through music education, with the goal of providing a pathway to academic, economic, and emotional stability.

ArtSmart uses student PII to track student enrollment in our programs, schedule classes/lessons and ensure that programs are optimized for student experience and outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google (GSuite), Airtable (Airtable), Resonance Network Company (ResonanceHQ).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ArtSmart only allows data to be stored on NYC DOE approved, cloud-based platforms (GSuite, Airtable and Resonance). ArtSmart staff and contractors are expressly prohibited from storing any Protected Information on company or personal devices. All staff and contractor accounts have 2FA enforced, as well as specific password requirements to prevent the use of common/predictable passwords.

ArtSmart limits access to Protected Information to the minimum number of individuals necessary to process the information.

All individuals who have access to Protected Information receive training on IT security best practices and ArtSmart policies concerning data storage, transmission, and use.

Data that ArtSmart will collect and store is listed below. ArtSmart will collect this data through digital AirTable and/or Resonance forms.

• Student First Name
• Student Last Name
• Student Email Address
• Student Grade Level
• Student School
• Primary Language
• Student Age
• Student Survey Responses (non PII only) *Cannot be used for Marketing Purposes/SOPPA Prohibited*.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Asase Yaa Cultural Arts Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/2/2023 – 1/3/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Asase Yaa Cultural Arts Foundation will use Personally Identifiable Information (PII) for evaluations and for program development for student workshops so it can be appropriate for grade and age levels. Workshops are offered in all of the disciplines offered to students including Drumming (Djembe, Conga, Drum Line); Dance (African, Ballet, Jazz, Hip Hop, Modern); Theater (Original Productions); and Visual Arts. Workshops can be scheduled when it best fits parents which includes am sessions and pm sessions. Sessions typically are 45 minutes to 90 minutes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We would only keep the information in a password protected drive that is accessible to program directors only and which will be discarded at the end of each school year. Additionally, all devices used to access the PII have virus scanners, as well as firewalls to ensure that the information is not compromised.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ASPIRA of New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ASPIRA will manage and operate community schools contracts with the goal of fostering ongoing collaboration and common vision with the partner schools to provide students and their families with coordinated programming that targets their individual academic, social, emotional, and developmental needs. PII will be utilized to register program participants, communicate their academic and social progress with parents and allow for student choice when program planning through the utilization of participant satisfaction surveys.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASPIRA will limit access to a minimal number of authorized personnel who have a legitimate need for such data access. Confidentiality agreements will be required for any personnel with access. ASPIRA will encrypt data in transit and storage, set access controls, and implement regular and encrypted backups. Data is entered into a password protected cloud based database. Policies for reporting security incidents to parents/guardians are in place. All security incidents will be communicated to parents/guardians and students.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Assessment Technologies Institute (also called National Healthcare Association)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor’s Services include the provision of learning content hosted on Processor’s platform and Certification examinations. End users create an account (or the school does so on behalf of each end user) that includes contact information and all data related to the interaction of the end user with the content is recorded by the platform and can be accessed by instructors and end users. Such data is PII. Additionally, certifications data (such as exam date, responses to exam questions, exam scores, pass/fail) is also PII in that it is linked a specific individual.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted at rest and in transit. Processor utilizes many controls and protections that includes but is not limited to: Network and Border Security, Endpoint Security, Email Security, Threat and Vulnerability Management, Access Management. ll critical and high risk vendors, is any, are reviewed annually as part of Processors Vendor Management Program. In addition, Processor completes an annual SOC 2 Type 2 assessment, which can be provided upon execution of a nondisclosure agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

ASSISTments Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/1/2023 – 6/30/2028. This agreement covers work with Amistad Dual Language School, Mott Hall III, and New Venture School, however the start and end dates are consistent across the three schools.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ASSISTments will be used to support teachers with implementation of their High Quality Instructional Materials by allowing them to assign problems online. Students get immediate feedback on their answers and teachers get immediate data that they can use to modify instruction. In addition, ASSISTments will provide data on teacher and student usage of the platform to school administrators and coaches to help them better tailor supports that meet the needs of all teachers and student. Receiving student PII is necessary in order to carry out the work as described above. The student PII that is collected and stored within ASSISTments’ infrastructure is limited to name, email and student work on problem sets.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASSISTments utilizes the following safeguards to mitigate data privacy and security risks while ensuring that PII will be protected:

• Administrative Safeguards: Established and follows comprehensive policies and procedures that outline best practices for data privacy and security including, but not limited to, background checks on TAF staff, personnel security and training, and the implementation of access control measures which limits who has access to data.
• Operational Safeguards: Comprehensive physical security measures, incident response and management procedures, and change management procedures.
• Technical Safeguards: Data encryption, network security controls (firewalls, intrusion detection, secure network configurations), secure development practices (SDLC, CI/CD), Single Sign On Authentication, regular auditing and vulnerability management.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Attainment Company

The exclusive purposes for which Protected Information will be used: Products provided include AAC applications & devices for student communication needs; student & teacher instructional applications/software for special education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Attainment provides industry standard data protection and security; annually authorized staff are trained on the appropriate requirements of FERPA, COPPA & SOPPA. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected information is returned to the district & after 30 days purged from Attainment systems. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data is stored in the US with AWS certified protected industry standard practices.

How the data will be encrypted (described in such a manner as to protect data security): The transmission is controlled using TLS (Transport Layer Security) encryption for the browser to database connection. The data is encrypted between the client computer and Attainment’s servers. The Hub uses HTTPS (Hypertext Transfer Protocol Secure) over a secure SSL.

Avaap

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Avaap is a management and IT consulting firm and has been contracted to create Student Pathways dashboards that contain student-level data. These dashboards are created on DOE servers for the benefit DOE, and Avaap will not receive or store copies of the dashboards nor the underlying data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “Avaap will access DOE mainly through DOE’s internal environment. Any PII and confidential data received under this agreement through communications with DOE will be destroyed or returned upon termination of this service agreement, when no longer required to provide the agreed upon services, and/or upon written request by the DOE.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Office 365.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Annual Security Awareness Training: All employees are required to complete security awareness training during onboarding and annually. This training includes simulated phishing exercises to ensure employees can recognize and avoid common cyber threats.
• Endpoint Security and Anti-Malware Software: All company laptops are equipped with endpoint security and anti-malware software. Employees are prohibited from disabling or replacing these tools. This ensures continuous protection against malicious software and unauthorized access.
• Data Encryption and Remote Wipe Capabilities: Avaap laptops are equipped with full disk encryption to protect data at rest. Additionally, the company can remotely wipe laptops if they are lost or stolen to prevent unauthorized access to sensitive information.
• Secure Wi-Fi and Network Practices: Employees are required to connect to secure Wi-Fi networks and use strong passwords for network access. Public Wi-Fi networks are to be avoided, and the use of VPNs is encouraged to ensure secure communications.
• Password Policy: Passwords must be strong, consisting of at least eight characters and including a combination of upper and lower case letters, numbers, and special characters. Passwords should be changed regularly, and two-factor authentication is used for enhanced security on Avaap systems.
• Brief Access Controls Overview:
  • Access to systems and data within the organization is managed through Role-Based Access Controls. Permissions are granted based on employees' specific job roles and responsibilities, ensuring they only have access to the resources necessary for their tasks. This approach enforces the principle of least privilege across all systems.
  • Multi-Factor Authentication (MFA) is required for all employees, regardless of their role, adding an additional layer of security for accessing company resources.
  • Administrative access is limited to a select group of authorized personnel, determined by both their specific responsibilities and the sensitivity of the system. This ensures that only those who need administrative rights for their duties have them, reducing the risk of unauthorized changes or data exposure.
• Brief Incident Response Plan Overview:
  • Scope: Avaap’s Incident Response Plan focuses on identifying and mitigating cybersecurity threats to protect critical assets. This comprehensive plan outlines procedures for incident classification, escalation, communication, and continuous improvement.
  • Incident Response Process: The process includes detection, analysis, containment, eradication, recovery, and post-incident review. Continuous monitoring and regular training are emphasized to maintain readiness. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Avant Assessment

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student PII is needed to register individual test takers who will sit for the AVANT language tests using the AVANT online testing system and to match the test takers’ results/scores with individual students so that the DOE can update students’ academic records with results accordingly. Avant test scores are used to award students credit towards graduation and advanced academic credentials.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Avant assessment utilizes many techniques to ensure that PII is protected. First of all, our application requires secure connections with encryption, and all data collected is also encrypted at rest. If information needs to be transmitted outside of our application, we work with the appropriate people to make sure we authenticate requests, send only the data needed, and assure that data is sent encrypted using a secure transmission method. We utilize a trusted hosting company and have our cloud archetype reviewed to make sure that we are following best practices. Along with our treatment of data, we enforce strong passwords for all persons who need access to an organization’s data and implement two-factor authentication. We also do code review and use software analysis to make sure we use best practices when handling data inside our application. Lastly, we do continuous training for all of our staff to recognize security threats and report any issues or practices that they observe.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Avaya

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Avaya is providing contact center services to multiple business units at DOE. Some of these business units require Avaya to store call and screen recordings for playback for up to 90 days. Avaya has not confirmed the exact PII that could be received but these recordings may contain certain PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Avaya protects and safeguards PII data by enacting the following measures and procedures:

Access control to premises. Avaya will prevent physical access to Personal Data processing equipment by unauthorized persons as follows:

• Avaya will implement and maintain physical security measures in order to prevent unauthorized access. This is accomplished by the following measures:
  • an electronic access control system with a 90-day log retention;
  • a 24/7 video recording of physical facility with 30-day log retention; and
  • intrusion detection / burglar alarms, or engaging on premise security officers.
• Avaya will restrict the access to various zones at its premises based on roles, and periodically revalidate the access by owners.
• Avaya will have personnel and visitor security measures in place to prevent unauthorized access, which is accomplished by the following measures:
  • Personnel must display IDs;
  • Visitors must sign in;
  • Visitors will be reasonably escorted by staff; and
  • Visitors must wear a badge which easily identifies them as visitor.

Access control to use of system. In order to prevent logical access to its Personal Data processing equipment by unauthorized persons, Avaya will implement and maintain the following measures:

• Avaya will only grant individuals access to the Personal Data processing equipment with
  • a unique user ID for access with formal authorization process, and
  • a unique password with the following features:
    • a complex password, consisting of eight characters and three of four character sets;
    • a maximum password lifetime of ninety days; and
    • an account lockout on failed logins.
• Avaya will grant the individuals access based on their job function with the following criteria:
  • role-based access;
  • least-privileged access; and
  • access only on a need-to-know basis.
• The screen of endpoints will be automatically locked after 20 minutes idle time.
• Avaya will log access to the data processing equipment.
• Avaya will use a multi-factor authentication of Avaya’s virtual private network (VPN) for remote access.
• Avaya will implement and maintain a central user administration.
• Avaya will encrypt endpoints provided by itself.

Access control to Personal Data. Avaya will prevent logical access to Personal Data by unauthorized persons by implementing and maintaining suitable measures to prevent unauthorized reading, copying, alteration or removal of the media containing Personal Data, unauthorized input into memory, reading, alteration or deletion of the stored Personal Data. This will be accomplished by the following measures:

• Avaya will only grant individuals access to the Personal Data with:
  • a unique user ID for access with formal authorization process, and
  • a unique password with the following features:
    • a complex password, consisting of eight characters and three of four character sets;
    • a maximum password lifetime of ninety days; and
    • an account lockout on failed logins.
• Avaya will grant individuals access to the Personal Data based on their job function with the following criteria:
  • role-based access;
  • least-privileged access; and
  • access only on a need-to-know basis.
• The screen of endpoints will be automatically locked after 20 minutes idle time.
• Avaya will log access to the data processing equipment.
• Avaya will maintain access control lists (ACL).
• Avaya will conduct data backups and retrievals, using a secure storage of backup media and testing backups.
• Avaya will implement and maintain a formal access control change management program.
• Avaya will implement and maintain internal policies and standards comprising security policies and standards, both at a corporate and business unit level.
• Avaya will conduct periodic mandatory trainings with respect to protection of personal data, and will monitor and enforce the training participation.
• Avaya will implement and maintain anti-virus programs, which are centrally monitored and updated, and conduct regular anti-virus scans.
• Avaya will conduct a secure deletion and /or disposal of data.

Transmission control. Avaya will prevent any unauthorized access to Personal Data via implementation of secure communication channels and logging as follows:

• Avaya will use a VPN with a multi-factor authentication for remote access.
• Avaya will use firewalls with the following features and processes:
  • stateful inspection;
  • default denial access rules are implemented unless access rules are explicitly approved;
  • role-based and least-privileged access on a “need to know” basis;
  • logging and alerting of access; and
  • annual review of firewall rules.
• Avaya will use encrypted email if the same has been enabled by Customer, using transport layer security (TLS) as the methodology.
• Avaya will implement and maintain security policies and standards both at a corporate and business unit level.

Input Control. Avaya will ensure the possibility to check and establish whether and by whom Personal Data have been put into, modified or removed from the Personal Data processing equipment as follows:

• Individuals accessing personal data will require a unique user ID and authorization for access.
• Avaya will implement and maintain security policies and standards both at a corporate and business unit level.
• The Personal Data processing equipment will have logging functionalities.
• Avaya will only grant individuals access to Personal Data based on their job function, with the following categories:
  • role-based access;
  • least-privileged access; and
  • access on a “need-to-know” basis.

Organization control

• Avaya will ensure that in case of commissioned data processing, the Personal Data are processed strictly in accordance with the instructions of Customer.
• Customer will provide clear instructions to Avaya regarding the scope of the processing of personal data, and Avaya will adhere to these instructions.

Availability control. Avaya will prevent any accidental destruction or the loss of Personal Data by appropriate measures as follows:

• Avaya will implement and maintain uninterruptable power supply, fire and smoke alarms, fire suppression systems, generators, cooling systems and raised flooring.
• Avaya will implement and maintain a disaster recovery plan, and annually review and test it.
• Avaya will implement and maintain a backup strategy and backup procedures.
• Avaya will implement and maintain anti-virus programs and firewall systems.

Control of separation of data. Avaya will implement and maintain appropriate measures to allow the separate processing of data which have been collected for different purposes as follows:

• Avaya will separate different customers’ Personal Data by storing Personal Data in logically separated databases.
• Avaya will separate between productive and test data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Babatek (also known as Impetus)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Babatek Inc d/b/a Impetus is serving DOE as an IT Professional Services provider. Babatek Inc provides IT application development and support services to DOE for a range of programs, including IT Staffing & System integration (SI) Contracts. Impetus will plan, design, execute and implement the new system while ensuring security protocols are being met while ensuring business deliverables are in accordance with generally accepted industry standards and best practices and those unique to the DOE. Babatek Inc will provide all technical resources necessary to support a successful completion.

We understand that the PII may be accessed when running reports, and developing analysis, and planning and executing projects.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our consultants will not be storing, collecting, or otherwise using PII anywhere else but within DOE-owned or controlled networks, data systems, devices, or applications.

Babatek Inc will follow the industry standard practices as explained below which will simplify the process of implementing data encryption mechanisms.

Depending on our confidentiality agreement on the project, Babatek Inc will assign a project closure manager who will oversee all transitions of project documents and any client confidential documentation. The project closure manager will double check with a client representative all documentation files, notes, electronic information, and any other material deemed to be confidential. Upon request on need basis/ Project termination/ when data is no longer needed a formal acknowledgement will be given to client confirming that all materials have been returned or destroyed

Babatek Inc limit access to Confidential Information by the following methods:

• Not use Confidential Information for any other purposes than those authorized in our contract.
• Confidential information will never to be disclosed to anybody except fully authorized personnel. Proper approval process will be followed and agreed by both Babatek Inc and DOE in case a special needs and provisions for advance reporting or critical updates to be communicated for time sensitive scenarios.
• Maintain reasonable technical, administrative, and physical safeguards to protect Covered Confidential Information.
• Provide training on laws governing confidentiality to our officers, employees and assignees with access to such Confidential Information.
• Notify the DOE of any security breach resulting in an unauthorized release of Confidential Information, and promptly reimburse DOE for the full notification cost.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “No PII will be stored or hosted.”

Ballet Tech Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2022 – 8/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The service provide is Dance Training at Ballet Tech. PII is required in order to take attendance and for grading.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Protected Information is stored in the US. Ballet Tech uses has various administrative, operational and technical safeguards in place in place to protect any Protected Information that it will receive under the contract – including training staff members as to best practices for data security and student privacy, the use of Google Drive and Gmail with their built-in data privacy protections, using an on-site physical server for day to day file storage, requiring strong passwords (and 2FA when available), and shredding any paper documents containing Protected Information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Bank Street College of Education (for professional development)

Type of Entity: Institution of Higher Education

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Bank Street College of Education is a partner in the Next Generation Community Schools project. Bank Street will be providing implementation support and coaching to facilitators in 20 Next Gen Community Schools to run High 5s Kindergarten Match Clubs. Math Mentor Coaches, who are employees of Bank Street, will visit each High 5s Kindergarten Match Club at the school site, to provide coaching support to the Facilitators. The High 5s Clubs may take place before, during or after school.
• Bank Street College of Education will work with the New York City Department of Curriculum and Instruction to provide in-school coaching support and district professional learning in Mathematics. Our coaches may access PII in order to understand the coaching supports teachers need in order to improve instruction in the classroom. Coaches and teachers may analyze student data together to inform instructional strategies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Bank Street will not be storing, processing, or collecting PII.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by the Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical and technical safeguards: Identified project team members will receive training about data security and proper handling of student data prior to the start of the project(s), or shortly thereafter. The training provided is specific to Ed Law 2-D and data privacy and security protocols.

PII will not be stored or collected for the purpose of [these programs], only accessed.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Bard Early Colleges

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The network of the Bard Early Colleges works to increase access and success in higher education by providing students with a program of study that includes not only high school courses, but also college-level courses in the eleventh and twelfth grades. A core-component of the Bard Early College mission is its commitment to educating students from communities that have been historically underrepresented in higher education. To ensure that the Bard Early Colleges appropriately implement the early college model, the network routinely collects student PII. With this information - in particular, key demographic information such as race, gender, ability, and economic status and key academic performance measures such as course enrollment, letter grades, credits earned, and degree attainment - Bard is able to advocate effectively for resources on local and state levels and to deepen its understanding of student populations and learning needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Bard Early College Network uses Google Workspace for Education for email communications and data storage. All accounts associated with the Bard Early College Network are password protected and have multifactor (2-step) authentication in place. Additionally, all files that include PII require access as allowed by document owners.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Beable Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beable provides literacy and test prep software to the NYC DOE. PII is collected for purposes of providing students with access to the system, and teachers with ability to monitor their progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (AWS). Amazon Web Services (AWS) utilized are AWS RDS, AWS S3 and AWS Elasticache.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beable employs a variety of administrative, technical and physical safeguards designed to protect PII in its custody from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Our measures consider the sensitivity of the information we collect, use, and store and the current state of technology. Our security measures include data encryption, firewalls, data use, and access limitations for our personnel. Should we become aware of an authorized disclosure of your information and/or any data breach of our systems and information, we will notify NYCDOE promptly in compliance with N.Y. Education Law 2-d Requirements.

Beable has implemented a mandatory training program for its employees and contractors and clearly defined guidelines to which they are held accountable for collecting, storing, accessing, securely transmitting, interacting with, and destroying PII. Employees and Contractors are required to sign Confidentiality Agreements.

Beable’s application is hosted in AWS in our secured private network and leverages many of AWS’s broad range of cloud services.

Teachers have visibility into student-specific information via the application dashboards, reports or other features and can respond to parents who request access to their child’s records. Beable will support the teachers or other NYCDOE staff in responding to parent requests for data as necessary.

Administrative, technical and physical safeguards have been implemented to protect the security, confidentiality, and integrity of PII in its custody as summarized below:

• Administrative – Beable maintains user registration information within our AWS secure private network and limits accessibility to such information to only those few employees that have special access rights to production systems. Security training is conducted annually.
• Technical – Application is developed following Secure Coding Standards established for the team. Access decisions are based on the principle of least privilege meaning a user only has access and privileges which are essential to perform their intended function. Password requirements are strong and utilize multi-factor authentication. Data is encrypted in-transit and at rest and transmitted by Secure Socket Layer (SSL) technology. Workstations are hardened, patched and hard drives are encrypted. In addition to leveraging High Availability, redundancy and resiliency of AWS services, backups of all relevant systems are performed and the restore process is periodically tested. Records of change are maintained via audit logs. Penetration testing and security audits are run frequently and are a necessary part of Beable’s security posture.
• Physical – Beable’s solutions are hosted in the Cloud at AWS. All customer PII is stored within our AWS secured private network.

Beable is committed to comply with all state, federal, and local data security and privacy laws, and NYCDOE Information Security Requirements for vendors.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Beam Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/15/2022 – 7/14/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beam Center school partnerships combine both professional learning opportunities for teachers with a wide range of direct services for students. Professional learning and DSS are woven together in a way that reaches students immediately and builds long-lasting skills for teachers.

• IN-SCHOOL PROJECTS

• Fundamentals Projects are projects designed by Beam Center staff with the purpose of introducing students and teachers to basic skills in one or more making disciplines such as woodworking, programming, electronics, and digital fabrication skills.
• In-Class Collaborative Projects are co-designed by teachers from our 29 partner schools and Beam Center Project Designers for implementation in classrooms.
  • PROFESSIONAL DEVELOPMENT
    • Custom Project Development is a professional learning opportunity for teachers and administrators from Beam Center’s 29 partner schools. In this program, Beam Center Project Designers introduce educators to our practice of hands-on project design as well as various technical making disciplines. With guidance from our staff, teachers collaborate to design a custom project for their classroom that is aligned to the learning goals, standards, and/or curriculum that educators are working with in their classrooms. Educators produce project plans, materials lists, and day-by-day schedules for the collaborative projects that they design. Participants in this program spend 12-18 hours total on this process; these hours are eligible for CTLE requirements.
  • Beam Center receives Student PII (names only) for the purposes of invoicing schools. We receive Teacher PII (names only) for the purposes of PD attendance sheet and for certifying CTLE credit.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beam Center currently stores all student digital information (name, phone number, email address) on Google Suite documents that are accessible by only a restricted number of personnel directly responsible for managing the program covered by this contract, trained on DOE’s and Beam Center’s privacy and security policies and protected by secure passwords that are updated every 90 days. Beam Center does not collect student Social Security Numbers or OSIS numbers. If a school inadvertently shares OSIS numbers with Beam Center the documents are shredded or hard-deleted from digital storage. At this time, Beam Center uses no proprietary or in-house developed software applications or databases to manage participant data and if ever should do so, it will be developed to meet industry standards and best practices for security and privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Bedford, Freeman & Worth Publishing Group

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Achieve is our next generation online learning platform. Achieve will replace LaunchPad and SaplingPlus as our single courseware solution for new and existing products for Fall 2024. Achieve is a one-stop shop where students can easily:

• Find their mobile-friendly and fully accessible e-book
• Increase their understanding with ready-made quizzes
• Complete online homework or exams
• And finally, monitor their progress with the included gradebook

In Achieve, students can stay organized and on schedule with a user-friendly interface that is as powerful at it is intuitive. All of this easily integrates with school’s LMS or rostering system for a seamless classroom experience.

BFW is committed to protecting the privacy and security of all PII that we process as a “data processor” or “service provider” to your school in order to provide the services to you and your school pursuant to applicable laws. The data we collect includes Student Name, Student Email Address, Teachers Name, Student Scheduled Courses, Student ID Number, Student Username, Student Password, Student responses to surveys/questionnaires, Student generated content, Student course grades and performance scores. If you use our products and platform in your courses at your school, we only use your PII as needed to provide the agreed upon services and for educational purposes only.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BFW will:

• We would continue being SOC 2 certified
• Store PII on servers in a secured facility in the US operated by Amazon Web Services (AWS).
• Use infrastructure built on industry-tested technology and security practices.
• Take measures aligned with industry best practices and NIST Cybersecurity Framework Version 1.1. These measures include, but are not limited to disk encryption, file encryption, firewalls and password protection.
• Stored all data in a password protected database with strong password requirements.
• Run periodic penetration tests, then logs and resolves discovered issues
• Limit access to PII and application data to people who require access in the performance of their role in providing the service.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

BeeReaders

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BeeReaders is engaged in providing an educational platform designed to enhance Spanish literacy skills among students. The platform utilizes Personal Identifiable Information (PII) primarily for creating personalized learning experiences, tracking student progress, and tailoring the content to meet individual learning needs. The purpose of accessing PII is to ensure the effectiveness of the educational services, facilitate progress monitoring, and support the educational goals of the schools or districts using the service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BeeReaders ensures the protection of PII through robust administrative, technical, and physical safeguards. Administrative measures include strict data access controls, policies and procedures, an incident response plan, and regular staff training on data privacy. Technically, data is protected through regular monitoring and review of logs provided by AWS and Google Cloud to quickly detect and respond to suspicious activities, multi-factor authentication (MFA) for accessing cloud services, ensuring that only authorized users can access sensitive data and critical infrastructure, end-to-end encryption for data at rest and in transit, using AWS and Google’s encryption capabilities to safeguard data against interception and unauthorized access, and regular vulnerability assessments and penetration testing to identify and remediate security vulnerabilities within your applications and infrastructure. These safeguards collectively mitigate risks, ensuring data integrity and confidentiality while These safeguards collectively mitigate risks, ensuring data integrity and confidentiality while maintaining a security posture that adapts to evolving threats without disclosing specific vulnerabilities. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Behavior Analysts

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2022 – 7/31/ 2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Receiving access to PII as part of a commercial relationship wherein Vendor’s product provides the ABLLS-R Assessment for use by the NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity utilizes administrative, technical, and physical safeguards that are aligned with industry best practices to ensure the integrity and security of PII. Administrative safeguards include written policies and procedures, and training programs that ensure employees and contractors are properly prepared and understand their obligations in handling PII, as well as employee background screenings. Additionally, Entity leverages Amazon Web Services (AWS) Cloud Infrastructure to ensure the physical security of PII, while implementing technical safeguards, including full encryption of PII in rest and in transit, in this secure environment. Collectively, these policies and procedures allow Entity to mitigate data privacy and security risks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Benchmark Education Company

The exclusive purposes for which Protected Information will be used: Benchmark Education Company collects personally identifiable information about you when you specifically and knowingly provide such information. For example, when you register, we collect such information as your name, email address, professional title, and school information. We use this information to customize the Site for your locale and to provide more relevant services. We may use the information that you provide when you register for Benchmark Universe to create your account. This allows your employees and students to log in, create a classroom within the product, and assign lessons to students.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Benchmark Education employees that are responsible for the onboarding and record-maintenance on behalf of school clients undergo through privacy and security training (FERPA, COPA), and sign a binding non-disclosure agreement.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We do not retain your personal information for longer than is necessary to provide you with the features and services you have requested. When you request an account be deleted, we remove the data from our servers. At expiration or termination of an agreement, we remove data within 6 months from the termination date. At any time, you may request that we permanently delete personal information immediately by emailing us at techsupport@benchmarkeducation.com.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All student data collected for Benchmark Universe is stored and backed up in Amazon Web Services (AWS). All AWS servers are located inside the United States. Benchmark Education follows industry best practices for network and physical security. All data is encrypted in transit and at rest. 

How the data will be encrypted (described in such a manner as to protect data security): Pupil records are transferred to Benchmark Education via an OAUTH 2.0 over SSL security encryption. Pupil records are stored (data at rest) in a secure AWS environment and are encrypted. Benchmark Education utilizes standard SSL encryption and authentication mechanisms with sha256RSA Signature algorithms, sha256 Signature has algorithms, RSA (2048 Bits) Public Key.

• Server authentication (1.3.6.1.5.5.7.3.1)
• Client authentication (1.3.6.1..5.7.3.2)

Big Ideas Learning (for Myadamath.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Myadamath.com provides access to content, assignment features, and reporting features for students, teachers, and/or building leaders at myadamath.com for Grades Kindergarten-12th grade core mathematics.

Students can view curriculum content from Big Ideas Learning’s Math & YOU textbook program, complete practice activities, use math tools, and take quizzes and tests assigned by the teacher. While students can work independently for short periods, myadamath.com is designed for use as part of daily curriculum delivery under teacher supervision.

Teachers can assign practice activities, quizzes, and tests. Teachers can also view those results in reports. Student PII is used, to make student accounts, and allow teachers and admin to identify students within classes while viewing reports and allow teachers to assign activities, quizzes, and tests

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to student information is limited to necessary personnel only. Yearly data privacy training must be completed before access is allowed. Access to databases is restricted through password protection which must be reset on a regular basis. Access is granted through a least privilege approach. PII is stored only where needed to serve users in Production environments. Data is only retained as long as required by law and/or legal agreement. Data is stored encrypted at rest and in transit in databases located in the United States in a secure datacenter. The minimum amount of data required to support the application is collected.

Application development is strictly controlled using version control, build/test/deploy controls, and vulnerability scanning against the code base, among other actions and tools.

Big Ideas Learning has explicit plans for business continuity and incident response with yearly reviews and implementation exercises to check readiness. Penetration testing is completed yearly by a third party. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Big Picture Learning (for ImBlaze)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ImBlaze is a Saas that enables schools to manage and grow their Work Based Learning programs. Educators can curate a database of internship opportunities, present these or pair these to students and then students can use ImBlaze to log attendance at their internship site. Schools can also track and monitor internship compliance paperwork. PII is used to create user accounts for students, educators and mentors so that student users can explore school-curated internship opportunities and log attendance. PII is also used to facilitate communication, as required, between educators, mentors and students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BPL/ImBlaze has comprehensive policies and procedures in place that mirror best practices for data security and privacy. BPL implements access control measures that include role-based access control measures that provide role-based access controls limiting access to PII to those required to have access, strong authentication mechanisms and permissions settings to ensure that only authorized personnel can access PII. BPL includes technical safeguards like data encryption, network security controls, application security measures and secure development practices to protect the confidentiality and integrity of PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Bloomz

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Bloomz is the unified parent-teacher communication app that increases parental engagement by connecting everyone with one easy-to-use tool. Bloomz handles ALL district, school, teacher, parent, student communication. Bloomz supports and translates into 109 different languages. Bloomz is a time saver for admins, a valuable tool for teachers, increases engagement and work ethic among students, and helps parents of all backgrounds engage in their children's education. Bloomz uses the core PII information in the following ways:

• PII is used to map relationships of and allow for communication between parents, students and staff for a specific class i.e. math for educational purposes for progress reports, homework or additional support required from a teacher/counselor. PII may also be used for attendance and grade support.
• Client data is handled with utmost care at Bloomz. Data is secured through role-based access. Data encryption is in place for data at rest and in motion. All the backups are encrypted by mongo and data in motion is secured through TLS based encryption. Within the application data security is ensured through role-based access restrictions and all the user passwords are stored encrypted. Customer data is never stored locally, and production access is restricted to staff with explicit approvals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud and AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Bloomz employs a combination of administrative, technical, and physical safeguards to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While I'll provide a general overview without compromising security, specific details are intentionally excluded to maintain the integrity of Bloomz' security practices and protocols.

Administrative Safeguards:

• Bloomz has established strict access controls and role-based permissions to ensure that only authorized personnel have access to PII.
• FERPA and COPPA compliance.
• Regular training and awareness programs are conducted to educate employees about data privacy and security best practices.

Technical Safeguards:

• Bloomz utilizes encryption protocols (TLS/SSL) to secure data during transmission, preventing unauthorized interception.
• PII is stored in encrypted format to prevent unauthorized access even if data storage is compromised.
• Firewalls, intrusion detection systems, and advanced threat detection mechanisms are implemented to safeguard against cyber threats.

Physical Safeguards:

• Cloud-Based Security:
  • Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.
• Access Control:
  • Access to Protected Information is restricted to a minimal number of authorized personnel who have a legitimate need for such access.
  • Multi-tiered authorization is implemented for accessing cloud-based service logs, ensuring that only authorized personnel can view sensitive logs.
• Confidentiality Agreements:
  • All personnel with access to Protected Information are required to sign confidentiality agreements to ensure they understand their responsibilities for maintaining data confidentiality.
• Personnel Training:
  • Employees receive training on data security, privacy policies, and best practices to ensure they handle Protected Information appropriately.
• Regular Audits and Monitoring:
  • Regular audits are conducted to monitor data access and usage to detect any unauthorized or suspicious activities.
  • Logs of system access and changes are regularly reviewed for anomalies.
  • Test environments used for development and testing purposes do not contain actual Protected Information, and they operate with separate security keys to prevent accidental exposure of sensitive data.
• Cloud-Based Security:
  • Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.

Data Privacy and Security Risk Mitigation:

• Bloomz conducts regular risk assessments and vulnerability assessments to identify potential weaknesses in its systems.
• Ongoing monitoring and analysis of network traffic and system logs enable rapid detection of any unusual or suspicious activities.
• Incident response plans are in place to ensure swift and effective actions in the event of a security incident or breach.

While the above description outlines Bloomz' general approach to safeguarding PII and mitigating data privacy and security risks, specific details and methodologies are withheld to ensure that disclosure doesn't compromise the effectiveness of these security measures. Bloomz remains committed to maintaining a robust security posture while respecting the confidentiality of its security practices and protocols.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Blue Engine

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Blue Engine utilizes monthly data cycles to ensure the co-teaching model is being effectively implemented. We work with the district or school-based instructional coaches to embed effective co-teaching practices, approaches, and mindsets within coaches and teams of teachers. The student data collected (listed below) is used to measure student progress and allows Blue Engine staff to effectively support teachers in using data and facilitate data reviews with school administrators:

• Rosters for each classroom receiving services which list student names and ID
• Student standardized assessment scores/results
• Student demographics including grade level, gender, race/ethnicity, ELLs, and SPED status
• Student experience surveys

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. QuestionPro for secure uploads and Google Suite Spreadsheet for analysis.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Blue Engine uses Google’s G Suite for email and data storage. All student data will be maintained on the encrypted Google server in the US. Staff are only able to access the server using their organization accounts. All staff devices are password protected and only to be accessed by them. Two-factor authentication is required for all staff accounts. Student Data may only be shared with individuals within the Blue Engine account.

Blue Engine will respond to data privacy and security incidents in accordance with the following steps:

• Employees must report suspected incidents that threaten the confidentiality, integrity or availability of Blue Engine’s data systems or data to the Vice President of Impact, Learning & Design and their immediate supervisor or manager.
• If a critical incident is verified, the Vice President will convene a meeting with Senior Management.
• Where there has been a breach of Personally Identifiable Information (PII), the CEO will be notified and will coordinate the process of compliance with notification requirements.

For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any Blue Engine sensitive or confidential data or a data system that stores that data, by or to a person not. authorized to acquire, access, use, or receive the data. Blue Engine will comply with legal requirements that pertain to the notification of individuals affected by a breach or unauthorized disclosure of personally identifiable information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

bNapkin (also called School4One)

The exclusive purposes for which Protected Information will be used: The student data or teacher or principal data (collectively, “the Data”) received by The Vendor will be used exclusively with the purpose of distributing content to students, gathering evaluation data from students, distributing teacher feedback to students, providing data visualization to administrators in The School District.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that all subcontractors and other authorized persons or entities to whom student data or teacher or principal data will be disclosed will abide by all applicable data protection and security requirements, including those mandated by New York State and federal laws and regulations, by not providing them with private data provided by The School District.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of the Original Agreement, The Vendor will extract all data associated with the School District and deliver an archive including the database table content, table description, and associated files. This archive will be delivered by means preferred by The School District. All database records and files associated with the School District will be deleted from the production master database and all its replicas.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. A parent, student, teacher or principal can challenge the accuracy of the Data received by The Vendor by contacting support@school4one.com. An audit of the challenge will be executed, and a report, accompanied with the raw data, will be produced within 14 days from the request.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Refer above to Attachment B.

[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “The School4One platform is hosted by one or more leading public cloud providers which operate data centers that are state of the art, utilizing innovative architectural and engineering approaches. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Office Security Access to School4One’s offices in New York is controlled 24 hours a day by electronic key access. Building access is monitored 24 hours a day with staffed security during normal office operating hours. Remote Work Security Access to School4One’s servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.”]

How the data will be encrypted (described in such a manner as to protect data security): Refer above to Attachment B.

[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “AES-256 encryption is used for data at rest and stored in the DB.”] 

Boddle Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/18/2024 – 3/17/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Boddle is a K-6 platform used as a supplement to address deficiencies in student abilities in math and ELA. Boddle personalizes student profiles to provide them with targeted support in identified areas of weakness, collects data to provide insight to teachers, and aligns with New York State Next Generation Learning Standards.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To protect Personally Identifiable Information (PII), we have established a multi-layered security approach that includes the following measures.

• Administrative Safeguards:
  • Regular training sessions are conducted for all executive-level staff to ensure they are aware of cybersecurity best practices and compliance requirements.
  • Our Chief Technology Officer (CTO) oversees and ensures the implementation of all PII protection policies.
• Operational Safeguards:
  • We have a data disposal policy that dictates the secure deletion of digital assets containing PII, aligning with the specific requirements of the applicable school district.
  • Routine internal audits and reviews of our data protection practices are performed to ensure operational adherence to our security protocols.
• Technical Safeguards:
  • Network segmentation is managed by our CTO to isolate and secure servers containing sensitive information.
  • Multi-Factor Authentication (MFA) is mandatory for accessing financial accounts and crucial IT network accounts to prevent unauthorized access.
  • Encryption is applied to all data at rest to protect PII from potential breaches.
  • Data in transit is safeguarded through robust encryption protocols, ensuring PII is secure during transmission.
  • We employ advanced server-side systems to provide denial-of-service attack protection and continuous monitoring for malicious activities, ensuring that threats are detected and mitigated promptly.

These safeguards are systematically reviewed and updated to adapt to emerging threats and to align with industry standards and regulatory requirements. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Boom Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Boom Cards are used as digital learning resources. Schools use Boom Cards to support learning and intervention. Educators who elect to collect Student Data will collect student performance data (correct/incorrect answers and time to answer) which is associated with a username, which may be pseudonymous. The purpose of the data collection is to evaluate student progress towards mastery.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., MongoDB on AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons. Safeguards include:

• Privacy and Security by Design
• Data Minimization
• Data Deletion Practices
• Adoption of the NIST Cybersecurity Framework
• Need-to-know access
• Annual or more frequent training for employees and vendors

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Brainfuse

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2024 – 6/30/20209.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Brainfuse is a high-quality tutoring provider for K-12 students. Brainfuse tutoring services are structured with research-backed practices to increase student learning gains and the overall efficacy of the tutoring program. Brainfuse provides live tutoring in one-on-one and small group settings, virtually or in-person, for K-12 schools. Brainfuse offers live tutoring support in all core subjects and can provide services to students of all skill levels. Brainfuse will provide high-impact tutoring for students with the following dosage:

• 3 small group (up to 4 students) tutoring sessions per week, based on a personalized learning plan targeting student needs
• 30 to 35-minute tutoring sessions, for a total of 90 to 105 minutes of tutoring per week
• 12-week program, for a total of 36 tutoring sessions and 18 to 21 hours of tutoring \

The Brainfuse application includes the following titles:

• HelpNow: HelpNow provides students and teachers a platform to access content, track progress, and provide feedback.
• BoostHDT: BoostHDT provides students and teachers with a dashboard to track their scheduled tutoring sessions, access content, monitor program progress, and provide feedback.
• Flashbulb: Flashbulb provides an innovative study tool that enables students to easily create or share flashcards or access library flashcards. Each flashcard set can be converted into various study options, including study tables, games, quizzes, and more. •
• Whiteboard: Our proprietary whiteboard provides students with a work environment for homework and questions on their tablet, laptop, or desktop computer using intuitive and powerful tools, including a graphing calculator, file/image editor, and more. The whiteboard is automatically recorded, allowing students to rewatch their previous work in a format that maintains the order of the steps completed.
• Flashbulb: Flashbulb provides an innovative study tool that enables students to easily create or share flashcards or access library flashcards. Each flashcard set can be converted into various study options, including study tables, games, quizzes, and more.
• LEAP: LEAP offers unlimited access to online assessments to help students identify strengths and weaknesses in various academic skills. Our system automatically generates a unique learning plan based on the student’s performance to help them develop academic skills and monitor their progress as they work towards mastery.
• SkillSurfer: SkillSurfer contains hundreds of lessons, captioned videos, and practice tests in core academic subjects to encourage student-guided review and strengthen skills. These lessons, videos, and practice tests are aligned with New York State Next Generation Learning Standards.
• eParachute: eParachute provides a self-discovery tool to help students identify academic majors and career options that are well-suited to their self-selected skills and interests.

PII is used to provision user accounts for access to Brainfuse, which enables scheduling student tutoring sessions, tracking attendance, monitoring progress, adjusting individual learning plans, reviewing tutoring session notes, and accessing all titles noted above.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Evoque Cyxtera.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• External Soft Threats: Brainfuse utilizes a multi-layered approach to ensure the confidentiality of student information. Brainfuse follows strict standards to ensure that the software does not have open venues for hackers. Our network undergoes various penetration and application testing to ensure that no security issues would allow hackers to get into the network. The Brainfuse application is protected by a gateway firewall and IPS software to ensure intrusions are automatically detected and blocked.
• Physical Security: Brainfuse physical security at the production level is handled by our hosting facility. Biometrics and identity verification are required before access to the facility is granted. All information is encrypted, and we adhere to a strict media destruction protocol to ensure data security. Internally, Brainfuse employees must adhere to the IT Information Security Policy, which mandates best practices in security.
• Internal Soft Threats: Brainfuse utilizes a “need to know” approach. All Brainfuse vendors and employees have access only to the information they need to perform their duties. Additionally, all employees and vendors must adhere to password, antivirus, and antispam requirement policies, as indicated in the Information Security Policy.
• Authorization of Third-Party Access To / Use of Data: Brainfuse never authorizes third parties to access user data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

BrainPOP LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BrainPOP is an online educational product for k-12 students. Animated movies, interactive learning activities, and educational games allow students to explore concepts through numerous modalities and participate actively in their learning. Activities like Make-a-Movie and Make-a-Map help students grow from content consumers to content creators, building critical higher-order thinking skills across the curriculum and adding to their academic portfolios. In addition, playful formative assessments inside and outside movies provide teachers with actionable insights to track students' growth and performance.

Our standard-aligned topics cover academic subjects, which include English Language Arts (ELA), Social Studies, Science, Math, Engineering & Tech, Health, Arts & Music.

Teacher and Student data is collected for the purposes of creating individual accounts to track student learning. 

Teacher  names and emails are collected for the purposes of creating “classrooms” to track student learning. Emails are used to send product use recommendations and product updates, password recovery information, effectiveness and efficacy data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Servers are located in a secure, locked and monitored environment to prevent unauthorized entry or theft and are protected by a firewall. We apply a Secure Sockets Layer (SSL Or HTTPS) encrypting technology to encrypt data in transit between the server and the browser remains encrypted. We also encrypt data at rest. Governance policies and access controls are in place to ensure that the information of the BOE is separated and all subscribers can only access their own data. Only limited personnel have access to the data and can only access it when necessary to provide the services. Personnel pass criminal background checks and undergo periodic privacy training. We follow standardized and documented procedures for coding, configuration management, patch installation and change management for all applicable services and we have a third party audit our practices at least once a year. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Braintrust Tutors

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide live, synchronous, high dosage academic tutoring services for students in Grades K-12, either one-on-one or in small groups of 2-4 students, both in person and online, primarily focused on accelerating foundational reading and math skills. We collect limited student PII in connection with the delivery of our services, including student name, email, and grade.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Pencil Spaces.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Braintrust Tutors limits the collection of personally identifiable information ("Student PII") to ensure the privacy and protection of each student we serve. Braintrust Tutors stores Student PII in databases and on servers powered by Amazon Web Services ("AWS"), one of the leading and most secure cloud computing environments, behind multiple layers of electronic safeguards. Braintrust Tutors protects Student PII in the course of business through various means, including by implementing secure user authentication protocols, secure and limited access control measures, data encryption on public networks, and more. Braintrust Tutors restricts access to NYCDOE Student PII other than to NYCDOE, and Braintrust Tutors employs various encryption techniques for NYCDOE Student PII provided to NYCDOE (e.g., password protection, exclusion of student last names, etc.).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Branching Minds

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Branching Minds Platform (the “Platform”) is a web application for use by teachers and administrators. The Platform supports all aspects of a district’s Multi Tiered System of Supports intervention work and system. The Platform helps teachers follow the best practices of problem-solving work efficiently, effectively, and collaboratively from the start, saving time and effort while improving outcomes for all students.

PII collected on the Platform is used solely:

• To provide contracted educational services. For example, the Platform collects information about a student’s English language proficiency in order to determine the best learning interventions to recommend for that student.
• To conduct statistical research. Any data used for this purpose is de-identified (made anonymous by removing all personally identifiable information). This research helps us evaluate the effectiveness of the Platform and improve our product.
• For compliance and protection reasons. We may need to use data to comply with applicable laws, our internal policies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All information collected on the platform, including Student Personally Identifiable Information, is safeguarded through administrative, operational and technical safeguards around the AICPA Trust Service Principle Security as part of the System and Organization Controls (SOC) 2 Report, under the direction of a dedicate Director of Security Operations. Safeguards include:

• Software Security: We implement privacy and security practices which are compliant with FERPA and COPPA. Our Districts and their users, however, must use secure practices to help achieve comprehensive protection of student personal information as well.
• Data encryption: We encrypt personal information in transit and at rest.
• File transfer protocol: We use File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol to transfer personal information.
• Firewalls: We utilize stateful firewalls, network access control lists, subnetting and virtual private cloud networks to segment and protect our information resources.
• Proactive Defense: We utilize antivirus software, intelligent threat detection, and enhanced detection and response software to protect our systems. Policies prevent users from disabling antivirus and enhanced detection & response software on company computers.
• Data storage provider: We store all our data and host the Platform at off-site facilities which are managed by Amazon Web Services (AWS) at their United States data centers. AWS secures our data using a variety of measures, including: (a) housing the data centers in nondescript facilities; (b) strictly controlling physical access both at the perimeter and at building ingress points by professional security staff utilizing video surveillance; intrusion detection systems, and other electronic means; (c) requiring authorized staff to pass two-factor authentication a minimum of two times to access data center floors; (d) requiring all visitors and contractors to present identification, sign in, and be continually escorted by authorized staff; (e) limiting access and information to employees and contractors who have a legitimate business need for such privileges; (f) revoking access privilege when an employee no longer has a business need for these privileges; (g) logging and routinely auditing all physical access to data centers by AWS employees; (h) encrypting all access to the information within the Platform stored on these servers; (i) encrypting user passwords; and (j) securing all data stored with AWS behind a firewall.
• Security audits: We conduct internal and third party security audits and code reviews.
• Secure programming practices: Our software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.
• Account protection and identity verification: We support account authentication and identity verification exclusively through single sign-on technologies and protocols, such as SAML.
• Facility security: Our facilities are located in the continental United States. Physical access to our facilities is protected by electronic access devices, with monitored security and fire/smoke alarm systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Breakout

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Breakout EDU Educational Gaming Platform and Kits. Our online platform intended for teachers and students will provide access to academic and teambuilding games designed for learners of all ages. We also sell the Breakout EDU Kit which provides tools which teachers can use in conjunction with our digital platform to turn their classroom into immersive learning centers. We only collect basic PII (student first name and last initial, password, username (non-email), email for teachers, email is only gathered for students if an SSO option is used such as Google Classroom) necessary in order to deliver the service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. At Rest, all data is stored on secure AWS RDS instances and S3 buckets. Passwords are stored using MD5 and all tokens are stored using AES-256-CBC. There is no way of accessing the data without the encrypted key.

In Motion, all data sent over internal APIs using HTTPS. It is decrypted on the application backend and is only sent when authorized via token. In addition, any employee with access to any database has undergone both a background check and cyber security training to ensure proper handling of all data. We also have the entire site security checked to ensure any risks are mitigated each year. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Broadway for Arts Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Broadway for Arts Education provides arts education programming for the purposes of developing social-emotional skills and technical skills in the performing arts. The services include in school and after school instruction in dance, music, theater, and visual art, employing the tenets of project-based learning, and producing events for the school community. Broadway for Arts Education collects data to evaluate how its program services affect attendance/engagement rates, general attitudes towards school, family engagement, skill development progression, social emotional development progression. It is necessary to track PII to compare data year-over-year on a student, class, school, and district level.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive and Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our staff interact with students/DOE staff/parents at this site, and are trained to not disclose any PII information, but to refer any requestor (parent or eligible student) to a trained & authorized administrator for access to any PII as required by FERPA. All PII is stored in a password protected, encrypted database, inaccessible to unauthorized personnel. PII can only be accessed from a computer that is password protected and located in an office that is locked to the public and monitored by a security camera. PII is only accessed on devices using networks that are protected by a firewall, and databases are protected with multifactor authentication and only accessed on browsers that always use secure connections. Authorized administrators are trained on these policies and procedures. All staff must sign Child Protection Policies (a policy document developed by the Processor), which forbid unauthorized staff members from collecting, accessing, or disclosing any PII. We will provide training to all employees to help them understand their responsibilities when handling data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

BronxWorks

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BronxWorks provides services to the DOE as part of the community schools, Learn-to-Work, and early childhood learning centers programs. In order to provide these services, BronxWorks’ access to PII is necessary for the following purposes:

• Enrollment of students into BronxWorks programs;
• Supports to improve school attendance such as attendance monitoring, calls to students, home visits, regular attendance meetings with students, provision of incentives, referrals to additional services, and parent engagement activities;
• Career counseling, academic advising, college readiness supports, and assistance with applications to colleges or trade schools;
• Operational supports to the school such as hallway patrol, attendance at administration meetings with school staff, in-classroom assistance;
• Connecting students with internship opportunities at external employers, and paying students for internship work using program funds;
• Provision of wrap-around services to help students overcome barriers that have posed  challenges in traditional school settings; and
• The provision of full-day childcare and pre-school education serving children ages 3 – 5 years old, with a heavy emphasis on age-appropriate learning and social skills development to prepare children for elementary school.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365/Sharepoint, Salesforce, ADP.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To ensure the protection of student PII and mitigate data privacy and security risks, BronxWorks has implemented a comprehensive set of administrative, technical, and physical safeguards, including those listed below.

Administrative Safeguards:

• Data Access Controls: BronxWorks has implemented strict access controls to limit access to PII only to authorized personnel. This includes unique user accounts, role-based access privileges, and two-factor authentication.
• Data Minimization and Anonymization: BronxWorks follows the principle of data minimization, where only the necessary minimum PII is collected and retained.
• Privacy Policies and Procedures: BronxWorks has documented privacy policies and procedures that outline how PII may be accessed, used, stored, and transmitted.
• Employee Training and Awareness: BronxWorks conducts regular cybersecurity training sessions and awareness programs to educate employees about data privacy and security practices.
• Regular Risk Assessments: BronxWorks conducts periodic risk assessments to identify potential vulnerabilities and threats to PII. These assessments help in proactively addressing any security gaps and implementing necessary controls.

Technical Safeguards:

• Encryption: BronxWorks encrypts PII during storage and transmission. This ensures that even if unauthorized access occurs, the data remains unreadable and unusable.
• Firewalls and Intrusion Detection Systems: BronxWorks employs firewalls to safeguard its network infrastructure from unauthorized access. Intrusion detection systems are also employed to identify and respond to any suspicious activities in real-time.
• Continuous Monitoring: BronxWorks employs monitoring and intrusion-prevention tools and technologies to detect and thwart any unusual activities or security breaches. Real-time monitoring enables timely response and remediation of any potential threats.

Physical Safeguards:

• Device Security: BronxWorks ensures that all devices used for processing and storing PII, such as servers, laptops, and mobile devices, are protected with appropriate security measures, including encryption, authentication requirements, and regular security updates.
• Physical Files: Physical files containing PII are stored in locked file cabinets and in offices that are locked when not in use.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Brooklyn Bureau of Community Service (also called Brooklyn Community Services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Extension is from 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The LTW program provides student support, guidance, evaluation, assessment, and planning. As such, the program needs to be able to access PII for the purposes of registration and enrollment, attendance and other tracking, communication, and associated needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Apricot 360.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will follow our HIPAA and DOE’s guideline policies and procedures to safeguard the data. We do not store student data in Google drive. We use https to connect to our data. We use secure VPN to access data. All computers and laptops are encrypted. All documents are sent encrypted with strong passwords.

Student PII collected by LTW on enrollment is:

• State or school ID
• Social security card and/or number
• Birth certificate
• Tax information, financial information (i.e. for direct deposit)
• Address and contact information

Student information collected during the course of student time with the program:

• Grades and academic status
• Interaction and case notes
• Medical information in select cases, e.g. a doctor's note to excuse absence
• Timesheets and attendance

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Brooklyn Center for Psychotherapy

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Brooklyn Center is currently in three high schools providing Mental Health expertise to the PIP school contract. While present in the schools, there are conversations that occur between the DOE staff and BCP staff. Information is shared on students that will be referred for treatment or those in crisis.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Every user that has been screened and allowed access must also use MFA security (Multi-Factor Authorization) to gain access to the data and email environment. The MFA utilizes the Microsoft Authentication security package. Only approved employees with the proper security clearance and MFA setup are allowed access. The Processor will manage data security and privacy incidents that implicate Protected Information by preventing removal, download, and data transfers. All data is locked down for access in the secure environment. Unexpected data movement is monitored, and alerts are set for immediate action if a breach, hack, or unauthorized access has occurred. This information, once verified, is immediately reported to appropriate personnel and authorities and if appropriate to NYC DOE. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Brooklyn College Community Partnership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community schools collaborate with Lead Community-Based Organization (CBO) partners to create welcoming, supportive environments that help students navigate barriers and build on strengths so that every student can thrive academically, socially, and emotionally.

Community School Lead CBOs use student level data to ensure the right students are getting the right services at the right time. Through collaborative leadership between schools and CBOs, the information is utilized to support family engagement, expanded learning time and wellness and integrated student supports such as mental health services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Rackspace cloud services provider.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data at rest remain stored under secure conditions at all times, All electronically stored data reside on a password protected area of our server, which is backed up regularly. The server is protected by 15 separate firewalls, and is continually scanned by malware protection software. When in transit, confidential data are encrypted and transferred using secure File Transfer Protocol (FTP) account. Upon disposal, printed materials are shredded and electronic files are securely deleted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

BSD USA (also called BSD Education)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/5/2024 – 8/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BSD Education provides a solution for digital and technology skills to be taught to students by teachers during discrete technology lessons or during subject integrated and project based learning. For this to happen, students and teachers access content, and an interactive classroom through our online software platform called BSD Online. BSD Online can be accessed through any laptop or tablet with a browser and an internet connection.

Entity will receive PII in order to register student and teacher accounts that can be named for using the BSD Online platform. The PII required by the BSD Online platform for students and teachers includes name, email, school name.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BSD Education implements a multi-layered approach to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks:

Administrative Safeguards:

• Comprehensive Policies: Regularly updated data privacy and security policies, aligned with FERPA, COPPA, and NY Education Law § 2-d.
• Access Control: Role-based access controls (RBAC) limit access to PII based on job responsibilities.
• Employee Training: Mandatory initial and refresher training on data privacy laws and best practices.
• Vendor Management: Thorough vetting and regular audits of subcontractors to ensure compliance with data protection standards.

Technical Safeguards:

• Encryption: AWS encryption at rest and in transit for all PII stored and processed in BSD Online.
• Multi-factor Authentication: Required for administrative access to BSD Online and AWS resources.
• Monitoring: Utilization of AWS CloudWatch for real-time threat detection.
• Vulnerability Management: Regular vulnerability assessments and penetration testing of BSD Online.
• Secure Development: Implementation of secure coding practices and regular code reviews.
• Data Anonymization: All student and user data is anonymized and segmented to protect individual privacy.
• Anonymization Techniques: Data used for analysis and reporting is anonymized to prevent the identification of individual students. This includes removing or masking direct identifiers and applying techniques such as data aggregation and randomization.
• Physical Safeguards:
• AWS Data Centers: Utilization of AWS's highly secure data centers with strict physical access controls.
• Device Management: Endpoint protection for all devices accessing BSD Online administrative functions.

Risk Mitigation Strategies:

• Data Minimization: Collecting only necessary information for educational purposes.
• Incident Response Plan: Structured approach for detecting, responding to, and recovering from security incidents.
• Regular Audits: Continuous monitoring and periodic third-party security assessments.
• Disaster Recovery: Comprehensive plan ensuring business continuity and data protection in case of disasters. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

buildOn

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2023 – 9/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. buildOn will work with partnering schools providing year-round specialized service learning programming, including during school breaks and summer vacations. Program activities include in-class service projects, after-school, weekends, school holiday programming, as well as school-wide service days. All programming follows buildOn’s IPARD service-learning framework: Investigation, Preparation, Action, Reflection, and Demonstration.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. buildOn implements and maintains reasonable physical, administrative, and technical safeguards designed to safeguard PII in accordance with applicable law and the NIST Cybersecurity Framework. These safeguards include asset management, access controls and identity authentication, encryption, personnel training, and least-privilege functionality. buildOn engages in a risk assessment in accordance with the NIST Cybersecurity Framework to identify areas of improvement to improve its security posture to ensure PII is adequately protected. buildOn also maintains a written information security program and incident response plan to provide clear guidance to personnel.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Business U

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BusinessU is a standards-based curriculum platform with full-year high school business courses, which is designed to be used in-classroom by teachers, for/with students. While not required to use BusinessU, PII is used to enable the use of our LMS integrations, which allows teachers to roster students, sync assignments, and pass-back grades. It also allows for student single-sign-on, which is easy to use and the most secure method of accessing the BusinessU platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS (API Gateway & Lambda, RDS, ElastiCache).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BusinessU prioritizes security and privacy. We only collect minimal student information, such as first name, last name, and email address from teachers, with strict limitations. Students cannot provide additional personal information, customize profiles, or upload avatars. Our data is securely stored in AWS RDS, encrypted at rest and during transit, within a VPC, and not publicly accessible online. We use a multi-tenant database model with strict permissions to safeguard data. Data access is controlled via temporary credentials and restricted to our engineering team. Authentication is handled via SSO with Google Workspace, ensuring robust security measures. We maintain staging environments for testing, scrubbing customer data before use. Background checks are conducted for personnel with administrative access. PII data is processed internally for generating reports, and some data is double-encrypted with regular key rotation. All BusinessU employees use 2FA for their Google Workspace accounts. Passwords are securely hashed, and sessions are protected with JWTs. User authorization follows a strict ownership-based model, with no cached permissions. Users can log out and are not allowed to share accounts. All credentials and customer data are encrypted in transit and at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term:

• PS 306 and PS 1998: 7/1/2021 – 6/30/2024
• Forsyth Satellite Academy: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

PS 306 and PS 1998: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, social and educational development, middle school advising and preparation, skills development, and alumni services. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.

Forsyth Satellite Academy: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, career and educational development, college advising and preparation, work preparation, skills development, alumni services, and paid internships. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

If granted permission by DOE, CAMBA will remove any identifiers from student data making it no longer PII, and maintain the de-identified data in order to continue reporting on historic outcomes and tracking outcomes for improvement of on-going services.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Eccovia Solutions, Inc, and using an Entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s polies are designed to ensure that PII is protected. All student files are maintained in locked filing cabinets in the program offices. Access to student files and information is limited to staff with a need to have such access. Electronic PII is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permission can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Student information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law or appropriate consents. CAMBA’s database management systems supports the creation of user accounts, roles, user group security, and permissions based on programs’ protocols. CAMBA maintains student data confidentiality by creating the specific workgroups and security organizations in database systems. CAMBA practices Universal Precautions/Standard Protocol & Procedures and compliances with any and all Federal, State, City, and CAMBA confidentiality, privacy, and security laws. CAMBA uses appropriate safeguards to prevent us or disclosure of the PII and implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAMBA’s Learning to Work program helps to re-engage students who have dropped out or fallen behind in credits to graduate high school. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, career and educational development, college advising and preparation, work preparation, skills development, alumni services, and paid internships. CAMBA also uses the data to conduct DOE-directed follow up with graduates a year after graduation to assist them in maintaining their post-secondary plans, and provides DOE with historical information on outcomes to further improve the on-going services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “If granted permission by DOE, CAMBA will remove any identifiers from student data, making it no longer PII, and maintain the de-identified data in order to continue reporting on historic outcomes and tracking outcomes for improvement of on-going services.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s policies are designed to ensure that client information is protected. All client files are maintained in locked filing cabinets in the program offices. Access to client files and information is limited to staff with a need to have such access. Electronic information is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permissions can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law. Our database management systems supports the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and CAMBA confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Cambiar Education (through Magpie Literacy)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Cambiar Education, via Magpie Literacy, will provide students access to a digital literacy platform and set of instructional tools designed to help them master reading foundations. Through our platform students will receive research-based instruction on foundational literacy skills and opportunities for practice and feedback on these skills through games and activities. We also provide a digital reading foundations assessment within the platform.

We collect and use PII to make user accounts and to track student progress in foundational literacy skills. In addition, PII is used to improve the learning experience for students, for adaptive or personalized learning purposes, and to ensure secure and effective operation of our products, including providing customer support and responding to security threats.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Relational Database Service (AWS RDS).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Cambiar Education, through Magpie Literacy, follows all state, federal, and local data security and privacy requirements to protect student data. Here’s how we ensure student information is safe:

• Strong Protections:
  • We use security protections such as access controls, vulnerability assessments, and encryption of data at rest and in transit.
  • Our security practices align with the NIST Cybersecurity Framework.
• Secure Access:
  • Usernames, passwords, and other access methods are secured at high standards.
  • Only authorized employees, contractors, and service providers can access student data and those with access to such data sign confidentiality agreements and contractors are assessed and employees pass background checks.
• Safe Data Handling:
  • We only share student data as needed to provide our services.
  • All data is stored in a secure environment and only shared with service providers who support the operations of our services and that are bound by written agreements to only use and process the data as authorized.
• Employee Training:
  • Our staff receives regular training on data privacy and security to ensure they handle student data properly.
  • Advanced Security Technology:
  • We use encryption at rest and in transit designed to secure web technologies to protect data.
  • Our servers are protected by firewalls and other security measures.
• Regular Assessments:
  • We conduct regular security checks and quickly fix any vulnerabilities found.
• Data Backups and Retention:
  • We maintain backup copies of critical data and test these backups annually to prevent unintended data loss.
  • We have data retention policies and procedures to ensure we don’t retain data longer than it is needed.
• Service Providers:
  • We ensure all our service providers follow strict data protection standards.
  • We have written agreements with these providers to protect student data just as securely as we do.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Canva

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/12/2023 – 6/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Canva for Education – an online design tool used by students, teachers, and staff to design a wide array of products, including presentations, posters, websites, videos, and much more. The software allows an authorized user to create from scratch or use a library of templates, photos, videos, and other media, through the use of digital design tool elements. Basic user information, including PII such as the user’s first and last name, plus District-issued email address, is required for SAML-based Single Sign On (SSO); allowing the District to centrally control and manage access.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Measures of pseudonymization and encryption of personal data: Canva encrypts Data transmitted between customers and the Canva application over public networks using TLS 1.2 or higher. Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Canva has personnel responsible for oversight of security and privacy. It has appointed Heads of Security, Privacy and Data, together with an Information Security Committee that meets quarterly to discuss privacy and security risks managed in its risk registers.
• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: In order to support availability of the service, Canva utilizes Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24x7 application support rosters. Canva maintains backups of the data stores, including Customer Data, that support the core functionalities of the Canva application. Backups are stored in a location geographically-separated from the primary data storage location. Canva maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Canva personnel and a requirement for post-incident reviews.
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Canva engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Canva also employs a third-party application vulnerability scanning service and runs a public bug bounty program.
• Measures for user identification and authorization: Where a Customer’s account contains a password for authentication, Canva stores the password salted and hashed using an industry-standard password hashing function. Canva supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
• Measures for the protection of data during transmission: As per item 1, Canva encrypts Data transmitted over public networks between customers and the Canva application using TLS 1.2 or higher.
• Measures for the protection of data during storage: As per item 1, Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
• Measures for ensuring physical security of locations at which personal data are processed: The service is hosted and Data is stored within data centers provided by Amazon Web Services (AWS). As such, Canva relies on the physical, environmental and infrastructure controls of AWS. Canva periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data center controls.
• Measures for ensuring events logging: Canva maintains application and infrastructure security audit logs. Audit logs are analyzed to detect anomalous activity.
• Measures for ensuring system configuration, including default configuration: Canva hardens its server infrastructure using a hardening standard based on a common industry standard. Canva applies security patches to its servers in accordance with its Vulnerability Management Procedure.
• Measures for internal IT and IT security governance and management: Canva staff access to Customer Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Data to be able to discharge their responsibilities effectively. Remote network access to Canva systems requires encrypted communication via secured protocols and use of multi-factor authentication. Canva has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
  • cryptographically protecting passwords when stored in computer systems or in transit over the network;
  • altering default passwords from vendors; and - education on good password practices.
• Staff access to production infrastructure requires multi-factor authentication (MFA). Canva staff are subject to confidentiality obligations and a Personal Data Handling Policy. Canva requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Canva also requires its staff to undergo privacy law training annually (including to comply with COPPA and FERPA in respect of student data). Canva has implemented privacy by design, including but not limited to, privacy impact assessments.
• Measures for certification/assurance of processes and products: Canva will maintain an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard. Canva will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses Canva’s ISMS and information security controls, and a management committee that is responsible for oversight of Canva’s Information Security Management System (ISMS).
• Measures for ensuring data minimization: Canva allows visitors to use certain functionalities of its platform anonymously and minimizes the Data it requires from Customers to only what is necessary to provide the service requested.
• Measures for ensuring data quality: Canva ensures the quality of its data through verification of emails that sign up to the canva.com platform. Canva also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Happiness Team.
• Measures for ensuring limited data retention: Canva maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Canva and the purposes of collection.
• Measures for ensuring accountability: Canva has designated local representatives in Europe and the United Kingdom. Canva’s local representative in the European Economic Area is European Data Protection Office (EDPO) with registered address at Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Our local representative in the United Kingdom is European Data Protection Office UK (EDPO UK) with registered address at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. Data Protection Impact Assessments are carried out for high risk processing activities and Canva maintains records of its processing activities.
• Measures for allowing data portability and ensuring erasure: Canva has an automated process for deleting Customer Data on request within 28 days and enables the download Customer Data to provide to alternative service providers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Canvas Institute

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/15/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This program will deliver Compassionate Systems tools and Practices to students including social emotional learning and well-being education/guidance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: No PII will be stored in a database. Any information such as surveys will not have students full name, address or personal information that can compromise their identity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The program is taking place in person. No personal information will be uploaded or stored in any data base. Any surveys that administration will have access to will not have any student identifiers on them that can pose a security risk to the students or the school.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAPIT Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAPIT Reading provides teachers with a lesson plan and a phonics curriculum that teaches students to read and spell. [Information collected: Student first name, last name, username, password, student ID, grade, class, teacher, school, and district.]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAPIT collects only the information necessary to deliver its services and ensure students learn to read. This data is never stored on personal devices, never emailed or sent from one user to another, or made accessible to anyone other than those who are directly involved in delivering or aiding in the delivery of student instruction. All data is encrypted and stored on AWS cloud services. All CAPIT employees and subcontractors are made aware of our security and privacy practices and must agree to abide by them.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Carahsoft Technology Corp (reseller of Salesforce)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

This agreement covers all Salesforce products made available to the Board of Education of New York City [including but not limited to the ECMS project described below].

The New York City (NYC) Department of Education (DOE) provides free, early childhood education for students ages six (6) weeks to four (4) years old enrolled in Pre-K for All, 3-K for All, and Early Learn programs. The Division of Early Childhood Education (DECE) is responsible for making sure programs are providing high-quality early childhood care and education services giving 60,000+ children a strong start in school and in the future.

Currently the Pre-KIDS (Pre-K Integrated Data System), a web-based application, helps the DECE to process enrollment, attendance, budgets, and invoicing for approximately 1,200 service providers The current system relies on legacy technology that is outdated and unable to support current business rules, processes and security standards The new Early Childhood Management System (ECMS) Project will create an application platform that serve a single portal for all user needs covering:

• View Enrollment
• Attendance Management
• Budget Management
• Invoice Processing
• Developmental Student Screening Survey
• Incident Reporting Management
• Site contact Management
• Coaching Log Management
• Instructional Data and Monitoring

High-Level Project Goals:

• Improved user experience for parents, teachers and administrators
• Enhanced functional capabilities making the system very efficient in supporting DECE business processes
• Facilitate end-to-end business functions for early childhood education service providers
• Ensure compliance with all relevant regulations and standards, including data privacy laws and educational standards.
• Ensure high quality of data to support data driven business decisions
• Develop reporting platform to support business and compliance needs
• Integrate with other enterprise systems used by NYC Public schools and other City agencies
• The Division of Instructional and Information Technology (DIIT) will spearhead this initiative and manage the day-to-day activities for this project. DIIT will work with the vendor to ensure all in-scope requirements are successfully achieved.
• This project is expected to span up to 14 months and begin around November 2023.

The new ECMS will provide users with a more user-friendly platform to support day-to-day business needs. Leveraging the latest technology will allow users to be able to customize views based on their authorization and access within the new ECMS. This project is also intended to provide the following benefits to the DOE:

• Reduces the use of legacy technology systems.
• Improvements to data quality to allow for a better utilization of data
• Reduces the effort required in collecting data from schools/field.
• Improves access to data via dashboards and user-friendly reporting.
• Improves our ability to manage and maintain a safe, clean, and comfortable environment for students, teachers and employees.

The purpose of Salesforce receiving any PII is at the sole discretion of the customer and Salesforce employees will not physically access said data.

Type of PII that the Entity will receive/access: Other: “The PII that is received by Salesforce is contingent on what the customer inputs, which may include student PII.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall:

Return of Customer Data

Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the Covered Services (to the extent such data has not been deleted by Customer, or if Customer has not already removed the managed package in which the Customer Data was stored). Salesforce shall provide such Customer Data via downloadable files in comma separated value (.csv) format and attachments in their native format. The foregoing return of Customer Data for managed packages may not be available if the packages were removed prior to contract termination, as removing the package may begin the deletion process for associated Customer Data.

Deletion of Customer Data

Except as otherwise stated below, after termination of all subscriptions associated with an environment, Customer Data submitted to the Covered Services is retained in inactive status within the Covered Services for 120 days, a􀅌er which it is securely overwritten or deleted from production within 90 days, and from backups within 180 days. Physical media on which Customer Data is stored during the contract term is not removed from the data centers that Salesforce uses to host Customer Data unless the media is at the end of its useful life or being deprovisioned, in which case the media is first sanitized before removal. This process is subject to applicable legal requirements.

Without limiting the ability for customers to request return of their Customer Data submitted to the Covered Services, Salesforce reserves the right to reduce the number of days it retains such data after contract termination. Salesforce will update this Salesforce Security, Privacy and Architecture documentation in the event of such a change.

• Day 0, subscription terminates
• Day 0 - 30 Data available for return to customer
• Day 30 - 120 Data inactive and no longer available
• Day 121 - 211 Data deleted or overwritten from production
• Day 121 – 301Data deleted or overwritten from backups

For Salesforce Maps and Salesforce Sales Planning, all Customer Data submitted to AWS (with the exception of CSV files uploaded by Customer via the Salesforce Maps Custom Data Source Portal (“Custom Data Sources”)) is retained in AWS for 90 days, after which it is securely overwritten or deleted. Custom Data Sources submitted to AWS are converted into data layer files, and the original CSV files are deleted after 90 days. Any Custom Data Sources returned pursuant to the “Return of Customer Data” section will be in the form of a converted data layer file, not the original CSV file.

For Salesforce Field Service, any Customer Data submitted to AWS as part of the optional FS Optimizer or Enhanced Scheduling & Optimization functionality is retained in AWS for 30 days, after which it is securely overwritten or deleted.

For Insights Platform, all Customer Data submitted to AWS is retained in AWS for 30 days, after which it is securely overwritten or deleted, and all Customer Data submitted to Heroku is retained in Heroku for the duration of the applicable subscription term, then securely overwritten or deleted 30 days after termination of the applicable subscription term.

For Sandboxes, as part of its system maintenance, SFDC may delete any Sandbox that 22 Customer has not logged into for 150 consecutive days. Thirty or more days before any such deletion, SFDC will notify Customer (via email, unless Customer opts out) that the Sandbox will be deleted if Customer does not log into it during that 30-day (or longer) period. Deletion of a Sandbox shall not terminate Customer's Sandbox subscription; if a Sandbox is deleted during Customer's Sandbox subscription term, Customer may create a new Sandbox.

The foregoing deletion of Customer Data for managed packages may not be available if the packages were removed prior to contract termination.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS GovCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Government Trusted Security and Infrastructure

Salesforce understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and Salesforce's own success. Salesforce uses a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security.

Independent audits confirm that our security goes far beyond what most companies have been able to achieve on their own. Using the latest firewall protection, intrusion detection systems, and TLS encryption, Salesforce gives you the peace of mind only a world-class security infrastructure can provide.

Third-party validation

Security is a multidimensional business imperative that demands consideration at multiple levels, from security for applications to physical facilities and network security. In addition to the latest technologies, world-class security requires ongoing adherence to best-practice policies. To ensure this adherence, we continually seek relevant third-party certification, including ISO 27001, the SysTrust audit (the recognized standard for system security), and SSAE 16 SOC 1 audit (an examination and assessment of internal corporate controls, previously known as SAS 70 Type II). SOC1, SOC2 and SOC3 audits are performed by a third-party auditor annually at a minimum. Additional audits and certifications include: CSA ‘Consensus Assessments Initiative’, JIPDC (Japan Privacy Seal), Tuv (Germany Privacy Mark), and TRUSTe.

Protection at the application level

Salesforce protects customer data by ensuring that only authorized users can access it. Administrators assign data security rules that determine which data users can access.  Sharing models define organization-wide defaults and data access based on a role hierarchy. All data is encrypted in transfer. All access is governed by strict password security policies. All passwords are stored in SHA 256 one-way hash format. Applications are continually monitored for security violation attempts.

Protection at the network level

Multilevel security products from leading security vendors and proven security practices ensure network security. To prevent malicious attacks through unmonitored ports, external firewalls allow only http and https traffic on ports 80 and 443, along with ICMP traffic. Switches ensure that the network complies with the RFC 1918 standard, and address translation technologies further enhance network security. IDS sensors protect all network segments. Internal software systems are protected by two-factor authentication, along with the extensive use of technology that controls points of entry. All networks are certified through third-party vulnerability assessment programs.Trust.salesforce.com is the Salesforce community’s home for real-time information on system performance and security. On this site you'll find:

• Up-to-the minute information on planned maintenance
• Phishing, malicious software, and social engineering threats
• Best security practices for your organization
• Information on how we safeguard your data

These papers further explain the technology that makes the Salesforce Platform fast, scalable, and secure for any type of application:

• https://developer.salesforce.com/page/Multi_Tenant_Architecture
• https://trust.salesforce.com/en/trust-and-compliance-documentation/

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareerSafe

The exclusive purposes for which Protected Information will be used: Student name and course completion information is used to process course completion wallet card from the U.S. Department of Labor, OSHA.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: As an OSHA-Authorized Provider, CareerSafe is required to provide student data to OSHA. We are contractually obligated to provide student name and course completion information to OSHA for the purpose of providing students with an OSHA completion card. OSHA, as part of the U.S. Department of Labor, complies with Federal data security standards. No student data is shared with any other organization or individual. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Student completion records will be maintained for five years, after which, CareerSafe will destroy and delete all the data in its entirety in the manner that prevents its physical reconstruction. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: In accordance with their contract, CareerSafe will work with the NYC DOE in processing challenges to the accuracy of student data in CareerSafe’s custody. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All at rest data is FIPS 140-2 compliant / certified process used to encrypt the student data while at rest on the application database. Student data is stored in/on an application database, located in the Amazon Web Services hosting facilities. The back-up data is presently stored on site in a secured storage unit. No data is store outside of the US. All data is fully encrypted to an AES 256 bit standard at rest and while in transit. All network devices and storage units are restricted to only be access by administrators. 

How the data will be encrypted (described in such a manner as to protect data security): All data is fully encrypted to an AES 256 bit standard at rest and while in transit.

CareerWise

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CareerWise New York is a youth apprenticeship system based in New York City. CareerWise New York offers a three-year applied-learning environment for high school students and an innovative talent-acquisition strategy for businesses. With apprenticeship, students earn debt-free college credit and nationally-recognized industry certifications through their work experience in fields such as IT, financial services, and business operations…all while graduating high school on-time.

We are trying to offer youth apprenticeships in high growth areas such as health care and technology to high school aged students. We hope to use this software to facilitate the hiring of students into apprenticeships.

We use this software as a means of managing our youth apprenticeship programming such as supervisor training, apprentice training, recruitment, and hiring. We also use this software for case management, relationships management, and communications management. It is what allows us to be an effective intermediary between industry and education. Through this system we can post available apprenticeships, recruit students, and communicate to both employers and school staff where students are at in the process. Students can create profiles, search through job descriptions and apply. They can also see how close an apprenticeship is to their home or school. Teachers and counselors can manage a caseload of students who are interested in apprenticeship, provide feedback on their profiles and applications, and have the final say in terms of approving students and ensuring that they are eligible to apply. CareerWise staff can use the system to provide feedback, offer application support and interview preparation to students. We can use this information to track progress on a school by school basis which allows us to assist schools at an individual level.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Salesforce & Google Cloud Products.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is only accessible to the staff that need access to the information. Any staff who do not need to see the PII information for their jobs will not be able to access this information through encryption and access restrictions.

CareerWise has implemented data security measures to monitor the data on a regular basis to ensure the data is protected from unauthorized users. For any incident that is reported CareerWise has an incident response coordinator to assemble the data that is affected and communicating to specific parties and incident response handler to analyze evidence so the incident can be resolved. CareerWise will manage incidents with phases defined in NIST SP 800-61 of preparation, detection, containment, investigation, remediation, and recovery.

If someone requests the deletion of PII information, CareerWise will take the proper steps in deleting all personal information from our cloud based Customer Relationship Management software, cloud storage, back ups, and the learning management system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareMonkey 

• CareMonkey follows the principle of “Least Privileged Access” whereby user accounts are provided the most restrictive access necessary to perform the required business function.
• Access to data is restricted depending on job roles and all access is tracked.
• As part of our Information Security Program we maintain a systems access register.
• Access to sensitive data is restricted to those few with a need to know and must be approved by management.
• Access accounts have username and passwords with Two Factor Authentication (2FA).

Castle Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Very basic student and teacher rostering information is collected by the Castle Learning application for establishing logins to the application and to securely link students to the appropriate teachers/classrooms. The application provides test item content and supplemental content teachers may assign to students for student learning and assessment for academic progress in core subjects.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The data is stored in SOCII compliant data centers within the US. All data in transit is encrypted to industry standards (TLS 1.2), sensitive data is encrypted at the column level in the database, only authorized staff with a need to access the data to provide the service have access and the network environment is scanned weekly using a third party scanning service. Additionally, Castle Learning uses a Web Application Firewall to further protect the system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Catholic Charities Community Services, Archdiocese of New York

Type of Entity: Community Based Organization

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CCCS’ Learning to Work (LTW) program and Community Schools Services is an intensive student support services program designed to assist students in overcoming obstacles that impede their progress toward earning a high school diploma. CCCS’ LTW team is integrated into the school community to provide students individualized support to earn a high school diploma, prepare for college and lead them toward rewarding employment and educational experiences after graduation. Our program offers academic support, career and educational exploration, work preparation, skills development, and internships to over-age, under-credited students who are at risk of not graduating from high school.

LTW and Community Schools staff receive and access student PII to 1) provide intensive support services to students to improve attendance and reduce absenteeism, 2) assist students with college and scholarship applications, as well as working papers for summer jobs and internships, and 3) document permission to attend field trips and emergency contact information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. All data will be destroyed after the contractually agreed upon retention period ends.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCCS’ data security policy requires that all PII is kept confidential and used only for the purposes for which it was collected. CCCS safeguards the privacy of students’ educational records by limiting access to such records strictly to authorized persons with direct involvement with the program. Reasonable physical, electronic, and procedural safeguards are maintained to protect students’ educational records from unauthorized access, loss, misuse, disclosure, or alteration.

All hardcopy records containing student PII (e.g., DOE release forms, etc.) are securely stored in locked cabinets and are shredded in accordance with CCCS’ record retention policies. These cabinets are locked after hours and on weekends. All staff are notified that they are required to preserve client confidentiality. Shredders are used to dispose of papers that contain PII.

Secure passwords are required for access to CCCS computer systems. The passwords of departing staff members are deleted from the system. CCCS’ databases are secured through WatchGuard Firewall (an upgradeable VPN endpoint and firewall security appliance that provides full, centralized management, logging, and historical reporting for securing telecommuter and remote offices); Secure Socket Layer (uses a cryptographic system to transmit private documents via the Internet); and VirusScan. In addition, CCCS has implemented DUO two-factor authentication for staff logging-in remotely through VPN and provided a platform for end-user cyber security training and education. CCCS mandates that all staff participate in an annual Data Security Awareness Training, which is offered by the Archdiocese of New York’s vendor, KnowBe4, an industry leader in user awareness education services.

Electronic documents containing student PII are securely stored by staff in their individual Microsoft 365 OneDrive accounts, which are password protected, require multi-factor authentication, encrypted on Microsoft servers (at rest and in transit), and accessible to the individual account user only.

Data is encrypted at rest and in transit. When data is in transit, all SSL connections are established using 2048-bit keys. Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of our data content. Data that is no longer needed or required is marked for deletion and destroyed at the appropriate time.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CCI Learning Solutions Inc (Jasperactive)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/2022 – 3/26/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jasperactive is a web-based learning product designed for Microsoft Office with tailored exercises for Word, Excel, and PowerPoint, Outlook and Access. Students are delivered a Benchmark, Lessons and Create Exercises. The primary purpose of Jasperactive is to teach the students the required fundamentals to pass the Microsoft Office Certification exams.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCI Learning Solutions Inc. is committed to protecting users’ privacy and PII and developing technology that gives users’ the most powerful and safe online experience. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Cengage Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For school educators, we develop essential, curriculum-aligned content that empowers educators to solve curriculum challenges, keep students engaged in learning, and help schools curate a virtual eBook library. Today, this includes supporting distance and social and emotional learning (SEL) as well as equity and inclusion goals. We support multiple curriculum areas, like Science, Social Studies, and English Language Arts, as well as multiple grade levels, inclusive of K- 12. PII is used on the educator side for creating user accounts and authentication, as well as connecting educators to students so that formative assessments can be assigned, and results tracked.

Student PII is not necessary for all use of Gale platforms, but can be used to provision and authenticate access to services on the platform such as enabling logging in, saving materials to a Google and/or Microsoft account, and accessing and completing formative assessment assigned by educators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Okta, AWS, Google, Microsoft.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Cengage Cybersecurity Technology Risk employs dedicated teams for IT Governance, Compliance, and IT Risk programs.

• Cengage utilizes the NIST frameworks of IT controls over infrastructure in Cengage.
• We complete and perform risk based assessments and report accordingly to teams and management for addressment as required.
• There is a dedicated Engineering Security team with best-in-class tools and industry recognized practices in place.
• There is a dedicated Application Security team which completes assessments and reviews of SaaS products with a Gap register and remediation program.
• Cengage Security includes Operational Security best practices, inclusive of proactive response plans, IT Automation and workflow, and Operational Risk reviews.
• Administrative safeguards include establishment of formal IT Policy and IT Security Guidelines, provided to all employees. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Educational Innovation (CEI)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CEI supports school leaders and educators collaboratively with community members, families, nonprofit organizations, and students to implement the community school model as an equity strategy. CEI’s team of experts provides technical assistance, capacity building, family engagement, and youth development programs in the arts, STEM education, Esports, academic support, character education, and the early stages cultural experiences under our signature program Project BOOST(Building opportunities and options for students). PII is necessary to track attendance in CEI programs and activities, including mental health support.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: CEI is not storing data, therefore no data needs to be destroyed.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CEI Community Schools Directors will use locked offices and file cabinets, when possible, to ensure that hard-copy documents containing PII are protected. At no point will the hard-copy documents leave the school site, in an effort to minimize risk of unauthorized disclosure. Access to PII will be limited to the CEI Community School Directors.

Any data used for analysis by CEI Community School Directors (CSD) shall be viewed, processed, and stored on NYCDOE provided devices and cloud storage under the purview of the NYCDOE’s acceptable use policies and requirements. At no time will any CBD transfer, share, submit or provide access to any data that is located on NYCDOE devices or cloud storage.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Family Life in Sunset Park

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Center for Family Life’s comprehensive, school-based integrated services include whole classroom work to support students’ social emotional development; crisis intervention, counseling, case management and access to a full range of additional supports and referrals to community-based services; professional development and training for school staff; and support for school-wide, community-building initiatives engaging students and families. Our current program models for collaboration with DOE teachers and students during the school day include: 9-11 advisory & 12^th grade internship programs at Sunset Park High School; interdisciplinary arts/social emotional learning at MS 136/MS 821; and success mentoring/attendance improvement initiatives. We are receiving or accessing PII so that we may effectively assess and appropriately respond to student needs. Additionally, PII enables us to provide comprehensive supports and services to the students and families in our partner schools, as needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft 365 – OneDrive/SharePoint.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Microsoft Defender for Office 365 has been configured to provide secure use of all email communications. OneDrive and SharePoint services provide both at-rest and in-transit data protection.
• Multifactor Authentication is enabled on every account. Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login.
• N-Able Remote Monitoring and Management allows us to remotely monitor desktops, laptops, and servers across a variety of operating systems. We can monitor network devices, switches, firewalls, routers, and more using SNMP. This also assists in preventing cyberattacks, perform routine maintenance, and update devices remotely with automated patch management. The managed antivirus features allow us to remotely push out and protect our devices against known viruses and malware. BitDefender Antivirus works against all e-threats, from viruses, worms and Trojans, to ransomware, zero-day exploits, rootkits and spyware.
• CFL assures all physical devices used for transmitting confidential data are always in a secure location.
• Security Breach Response
  • Notify Center for Family Life Response Teams
  • Engage Tech Alliance, outside IT Security Consultant, if needed, depending on severity
  • Secure network, computer and cloud solution systems
  • Determine the nature, content and extent of the breach – (I.e., exactly what was breached)
  • Update all data breach protocols
  • Test to make sure new cybersecurity defenses work
  • Let CFL's employees (& Clients if applicable) know about the data breach
  • Notify the NYC DOE of any breach or unauthorized release of PII in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of such breach
  • Cooperate with the NYC DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of PII
  • Pay for or promptly reimburse the NYC DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the TPC
  • As a DOE partner, Center for Family Life will comply with all provisions of the Data Privacy/Security Policy for Schools and Offices as posted on the DOE website, including Compliance with Law and Policy, Restrictions on PII Use, and Data Privacy and Security Practices

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Supportive Schools

The exclusive purposes for which Protected Information will be used: Center for Supportive Schools (CSS) serves as a Lead CBO under the Community School initiative to provide community school services at awarded partner schools. In addition, CSS under a sub-contract agreement with the Board of Education of the City School District of the City of New York also supports the NYS Integration Project – Professional Learning Communities (NYSIP-PLC).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In entering data agreements with schools and school districts, CSS agrees and adheres to the below general protocols:

• Receive data through secure sites, as requested by the partner school and/or district.
• Maintain data security throughout use, by restricting data access to vetted individuals and keeping data stored on password protected devices. CSS will communicate with the appropriate parties within 24 hours should a breach occur.
• Maintain additional server security through a partnership with SureTech/IVIONICS, a cloud IT service company that provides data and hardware security through anti-virus protection software, Total Network Defense (TND) and SNAP Monitoring (a malware and instruction monitoring and alert system).
• Destroy any data within an agreed upon/appropriate timeline.
• Share only aggregate reports of non-identifiable data with staff and external audiences.
• Community with data sender post-analysis, if requested, to share analyses.
• Review these protocols annually to ensure proper adherence and adjust where necessary.
• Maintain team awareness of applicable federal and state laws that govern the confidentiality of personally identifiable information.
• Remain subject to any applicable law, most prominently, FERPA and HIPPA regulations.

In addition to the above safeguards in place, CSS also commits to managing its authorized users (including subcontractors) as follows:

• Timely and appropriate training for any and all authorized users to understand CSS data protection policies and NYC DOE contractual requirements. Consideration is being offered to the Board that all authorized users sign a training document that ensures understanding and compliance.
• The Director of Contracts & Compliance will work with the IT/System Administrator to ensure compliance of data protection and security.
• Access to the raw data is restricted internally at CSS to members of CSS’s Evaluation Team, the Regional Executive Director, and the CEO. Only these individuals will have access to the credentials that will allow them to access the data files and they will use the data files only on their password protected computers.
• Data will only be sent through the secure FTP site (Box.com). All transmission of data via the FTP site will be encrypted.

CSS acknowledges the responsibility to ensure compliance with the confidentiality provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA 34 CFP 99) and the Code of Maryland Regulations (13A.08). CSS acknowledges that any unauthorized disclosure of confidential student information is a violation of FERPA and shall not be permitted to occur.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon completion, and/or termination, of this agreement with NYC DOE, CSS shall certify that Protected Information has been surrendered or destroyed in accordance with this Rider via the "Certificate of Records Disposal" form attached to this Rider as Exhibit D. Any and all measures related to the deletion, destruction or disposition of Protected Information will be accomplished within 90 days upon expiration of the agreement. CSS agrees to utilize an appropriate method of confidential destruction, including shredding, burning or certified/witnessed destruction of physical materials or verified erasure of magnetic media using approved methods of electronic file destruction.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CSS will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests will be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): No Protected Information will be stored outside the USA. CSS policies ensure that secure data is housed on protected and secured platforms. All computers that host these platforms are protected through passwords and a secure and virus protected network. CSS understands the importance of data security. We do not request data that is not necessary for our work and when we do, it is housed appropriately. PII data is NEVER stored on personal equipment.

How the data will be encrypted (described in such a manner as to protect data security): CSS understands that data encryption helps to keep data safe and compliant and provides extra security against unforeseen mishaps. CSS has hired a full-time IT System Administrator that has begun reviewing data management policies and identifying a high-quality data encryption strategy which identifies data needed to manage encryption keys and block unauthorized access to company data.

When data is stored or when accessed (by authorized staff) it is done securely within the Data Protocol Framework which includes: data management, ethical walls, privileged user monitoring, sensitive data access auditing and secure data trail tracking.

CSS utilizes a complex cipher to make data unreadable to third parties. The encryption strategy incorporates technologies that defend data in all three of its states:

• Data at Rest: this is data located in data storage areas or within various devices, including authorized CSS and school staff.
• Data in Motion: this is data that is being transmitted from one endpoint to another across a network. This includes local LAN and WWW.
• Data in Use: this is when data is being actively accessed by a credentialed user.

CSS understands that developing a solid encryption strategy is a long-term, collaborative process that includes IT, operations, and management stakeholders. CSS continuously identifies high-value data and regulatory requirements and has processes in place to identify and prioritize the most sensitive or valuable data for encryption. A new IT Director is in place to ensure critical data security, implement access controls and properly train all staff on data security policies and procedures. CSS also works with a cybersecurity firm to ensure data lifecycle management.

Central Family Life Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The Central Family Life Center will be conducting services associated with Project Pivot, which will include counseling, mentorship, mediation, and restorative services for students. As such, it is reasonably expected that PII will inform select activities, practices, and approaches implemented through the work of counselors, mentors, and mediators serving on the Project Pivot contract.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CFLC will collect and disclose students’ PII only as necessary and only for educational purposes. The organization commits to ensuring that all administrative files and protected documents are stored and protected by password protection, and any physical files containing information will be stored securely in a locked filing system. The organization further commits that access to any/all files containing PII is restricted and made available to only those staff and/or affiliates who have a need for utilizing such data/information in the course of their implementation of program activities. All staff and affiliates, including subcontractors, if/as applicable, will receive comprehensive training in data privacy and security, including applicable laws, policies, and safeguards associated with industry standards and best practice; the policies, practices, and protocols of the organization; and all policies and regulations established by DOE and the related/relevant contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CEV Multimedia

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: September 2023 – September 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYCDOE is using iCEV CTE curriculum to prepare students for taking certification exams in several subjects. Including pre-med electives: medical terminology, anatomy & physiology, and medical assisting. The district will provide basic roster related PII as they need to manage their classroom roster and records in the solution. This includes at the district’s discretion PII such as the teacher and student first name, last name, email address or UPN.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Simpatico Systems US based and certified data centers in Dallas and Los Angeles.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative access to PII is limited to named privileged authenticated users required to support the services that the DOE has contracted.  NIST CSF policies and procedures are followed to provide the service. Sharing of PII is limited to what is required to provide the services and confidentiality agreements are in place to protect DOE data. Team members are provided cybersecurity and data privacy awareness training throughout the year with training. Systems are hosted in US based, certified, and secure hosting environments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

Changing Perceptions Theater

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Participants learn to write and perform original dramatic works such as monologues, short plays and full length-plays for their school community and families. Participants will see professional plays performed in New York City. PII will be utilized to contact parents regarding trips, emergencies, program updates, invitations to events and to keep enrollment or attendance lists, and progress reports.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Cloud and "if there are physical attendance sheets they will be kept in a locked and secure space at the school that is agreed upon by the school administration and CP.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
• A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
• Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
• Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
• CP will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII to CP.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Charmtech Labs (also called Capti)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our product, Capti Accommodate, is used by teachers to support reading for students with learning and print disabilities. The PII includes the email and First and Last Name of the student, which are used to facilitate user management and log in to access Capti Accommodate services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is protected by enforcing a need-only role-based access control, encrypted in transit and at rest, and protected by firewalls, MFA, and passwords. PII is never shared with unauthorized users and protected in public reporting. PII is destroyed no later than 60 days from contract termination or when it is no longer needed for the purpose for which it was disclosed. Our policies include a comprehensive incident response plan, mitigating risks both in case of security incidents and natural disasters.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Child Center of NY (Community School Services and Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The services being contracted are to provide Community School services  at the designated site.  At minimum, services include:

• Facilitate the OCS Assets and Needs Assessment using the Assets and Needs Assessment Tool for Collaborative Planning in NYC Community Schools.
• Establish a Community School collaborative leadership structure that includes the voice and leadership of multiple stakeholders, including students and families.
• Host three Collaborative Planning Meetings per school year. These meetings are facilitated by the CSD or other CBO staff determined by the CBO supervisor. Attendees include School Staff (Principal, Teachers, Admin Staff) and CBO Staff (CSD, Supervisor, CBO Fiscal Point), and whenever possible at least one student representative (for middle and high schools), and one family member of the SLT.
• Facilitate weekly attendance team meetings.
• Implement a Success Mentor Program.
• Implement a family engagement strategy that adheres to the principles of the Dual Capacity Building Framework for Family-School Partnerships.
• Host an annual Community School Forum.
• Ensure that afterschool and summer programming are available, aligned with school goals, and incorporate anti-racism into program design, behavioral systems, and curricula.
• Implement and/or coordinate comprehensive social emotional learning programs aimed at strengthening a supportive environment. Coordinate the day-to-day functioning of mental health services in the school using the three-tiered public health framework. If the school hosts an Article 31 clinic, the Lead CBO is required to dedicate funding to maintain the Article 31 clinic.
• Work with the school to ensure school-wide vision screenings.
• Facilitate the completion of the Community School Section of the CEP.
• Ensure that all staff members have a commitment to anti-racism and have the tools necessary to develop and provide anti-racist programs and services within the school community.
• CBO supervisor meets with principal and CSD at least quarterly to share feedback and align on goals and expectations for the CSD role and the partnership.
• CBO supervisor coaches CSD to use data during collaborative planning meetings and weekly attendance team meetings.
• CBO supervisor provides or coordinates training opportunities for CSD that support the development of the CSD Leadership Competencies and the CSD’s successful implementation of the core features of a Community School. 
• Community Schools emphasize family engagement, characterized by strong partnerships and additional supports for students and families designed to counter environmental factors that impede student achievement.  We collect PII from DOE, such as basic demographics, including student name, DOB, gender, address, contact information, parent/guardian information.  We also collect from DOE academic data, such as grades and attendance.
  

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is securely stored in Microsoft.  These systems protect all information entered and has safeguards in place to minimize security risks such as monthly password changes, individualized dual-factor authentication by user, and user security access levels.  Any paper files are kept in locked cabinets and locked offices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Child Center of NY (School Based Mental Health Program)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Child Center of NY’s School Based Mental Health Program will receive Personally Identifiable Information (PII) from school administration and staff on students that are referred for targeted and selective services (including, but not limited to, assessment, individual treatment, crisis intervention, individual or group supportive counseling and classroom observation). The PII includes the student’s name, date of birth, and demographic information including parent/guardian name(s), contact information, address(es), and telephone number(s) in addition, school records such as report cards and Individualized Education Plans, when needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. PII, including PHI, for targeted services, are securely stored in an Electronic Medical Record system, Welligent. The EMR meets applicable federal, state, and local standards and also in compliance with the NYS Office of Mental Health for the licensed Mental Health satellite clinic located in the school building. Retention and destruction of records will comply with applicable regulatory timeframes and guidelines.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Welligent and Microsoft 365.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII, including PHI, is securely stored in Microsoft 365 application for Universal and Selected Services; and in our Electronic Medical Record system, Welligent, for targeted services. Both systems protect all information entered, and has safeguards in place to minimize security risks such as monthly password changes, individualized dual-factor authentication by user and user security access levels. The EMR meets applicable federal, state, and local standards and also in compliance with the NYS Office of Mental Health for the licensed Mental Health satellite clinic located in the school building.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Child Mind Institute

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Child Mind Institute’s School and Community Programs will continue to deliver evidence-based prevention, intervention, and capacity-building mental health services to more than 1,000 students, parents, educators, and school mental health professionals at NYC DOE schools. Services will include (1) evidence-based trauma treatment groups, mood disorders treatment groups, behavioral challenges treatment groups, and reading remediation groups, in addition to preventative Mental Health Skill-Building workshops and support for over 700 students; (2) Capacity-building trainings for 100 educators and mental health providers to build school capacity to deliver evidence-based services independently; (3) Psychoeducational workshops for 200 parents and educators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Child Mind Institute is dedicated to keeping its solutions and customers secure. We strive to follow industry best practices and standards throughout all phases of our software development lifecycle (SDLC). We adhere to all federal, state, and local regulatory requirements related to information privacy and security. Child Mind Institute classifies all its systems and information into four primary security classifications and systems are assigned a sensitivity level based on the type of information that is stored within those information systems. Privacy and security controls are implemented for each system based on that systems classification. All baseline standards align with industry best practices and standards such as NIST 800-53 and ISO 27001.

Child Mind Institute, including any subcontractors or vendors that store, transmit, process or are otherwise responsible for the protection of sensitive information contained in its information systems, must adhere to all Child Mind Institute’s organizational policies, procedures and processes and contractual obligations. CMI employs the least privilege principle and enforces user access through multi-factor authentication. Encryption processes for data at rest and in transit follow guidance set forth in the National Institute of Standards and Technology (NIST) document Security Requirements for Cryptographic Modules (FIPS 140-2).

CMI has implemented a comprehensive risk management program to identify and remediate security vulnerabilities and threats to its information systems and information technology infrastructure. Systems are reviewed for risk and vulnerabilities on an annual and ongoing basis. Endpoint devices are protected by an enterprise-wide antivirus and enhanced detection and response system. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Children’s Aid Society

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. In accordance with FERPA, Children’s Aid agrees that to the extent that the services provided relate to the processing of protected information, the services are for Children’s Aid to perform an institutional service or function for which the BOE would otherwise use its employees.

The services being provided are the continuation of Community School services previously funded through 21st Century Community Learning Center grants that expired on June 30, 2022. Community Schools emphasize family engagement, characterized by strong partnerships and additional support for students and families designed to counter environmental factors that impede student achievement. While some of the specific attributes of a community school program vary based on the needs of its respective community, all Community Schools share three foundational pillars:

• A rigorous academic program with strong supports to prepare all students for college, careers, and citizenship, and that supplements quality curriculum with expanded learning opportunities that keep students engaged, coupled with high levels of accountability for results;
• A full range of school-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families and that work with families as essential partners in student success; and
• Partnerships that demonstrate collaboration with the local community, including by engaging families and other community stakeholders and drawing on a broad set of resources, incorporating local and State government agencies, non-profit service providers, institutions of higher education, and the philanthropic and business communities in order to extend the impact and depth of services and programs.

It is important to emphasize that Community Schools do not seek to duplicate effective services that already exist in their communities; rather, through partnerships, these schools leverage existing high quality programs and assets by linking them to the school and providing robust services to students and their families.

Children’s Aid uses protected information to provide the following required Expanded Learning and Enrichment Activities:

• in coordination with the Principal, SLT and CST, determine the focus, content and manner of expanded learning and enrichment programming to be provided at the school(s), considering the needs and expressed interests of students at the school(s) in alignment with the grant(s). Children’s Aid shall work with existing after school and expanded learning providers at the school(s) to align their work with the school’s instructional focus in order to provide more opportunities for personalized learning for as many students as possible. Children’s Aid shall also consider student and parent input via the community school planning process and use such input to inform the selection of specific activities to be offered, and such input must be reflected in the CS plan.
• ensure that expanded learning and enrichment programming delivered at the school is tailored to the needs of the school(s) and its student population, and is in alignment with the goals and objectives of the grant(s).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Children’s Aid employs administrative, operational, and technical safeguards including policies regarding the protection of confidential information, policies regarding the acceptable use of technology resources, training, and data system monitoring.

Confidential data is protected and only used in accordance with state and federal laws, rules and regulations, and Children’s Aid policies to prevent unauthorized use and/or disclosure. Staff must obtain written consent prior to the disclosure of personally identifiable information, except in those instances specifically allowed for by law. These include disclosure pursuant to a valid court order, or lawfully issued subpoena, a request for disclosure by authorized representatives of the officials or agencies headed by State or local educational authorities, a health or safety emergency where disclosure of PII is necessary to protect the public health of the student or others, and reason permitted by law.

Education records may be released without consent after the removal of all personally identifiable information provided that a reasonable determination that a student’s identity is not personally identifiable (whether through single or multiple releases, and considering other reasonably available information) has been made.

Reasonable methods must be used to identify and authenticate the identity of parents, students, school officials, and any other parties to whom PII in education records is disclosed.

Violation of the Children’s Aid policies by staff is grounds for dismissal. Staff agree to abide by the rules covering the maintenance and use of mobile equipment assigned to them. All devices and accounts are subject to inspection without user permission. Handling of protected information must be exclusively for the conduct of job-related duties and may not include dissemination of confidential information for unauthorized purposes nor any commercial uses. Use of technology and devices must incorporate use of strong passwords, dual authentication when required, protection of unique passwords, physical security of devices, and safe practices that protect systems from viruses and spyware. Use of technology and devices must not include any effort to circumvent data protection configurations, decrypt intentionally secure data, or copy data to non-secure devices for any purpose.

Children’s Aid utilizes subcontracted systems that demonstrate Systems and Organizations Controls (SOC) through SOC 2 audit reports based on the Auditing Standards Board of the American Institute of Certified Public Accountants' Trust Services Criteria (TSC). The purpose of the SOC 2 is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. These reports are intended to provide detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Security principles within the fundamental designs of the systems permit users to access information they need based on role while restricting them from accessing information not needed for the role. Encryption technologies protect data at rest and in transit. Subcontractor information security and availability policies define how systems and data are protected. These include policies around how the service is designed and developed, how the systems is operated, how the internal business systems and networks are managed, and how employees are hired and trained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Chinese American Parents Association Inc

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Chinese American Parents Association will be providing after school academic support as well as providing extracurricular activities. The Chinese American Parents Association will be providing after school academic support and non-extracurricular activities. CAPA also provides family workshops, State Testing Prep, Middle School Registration, ETC. PII is required for student registration for programs as well as to monitor attendance, track academic progress, and communicate with families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All electronic data is stored in Google drive, and is password protected with access limited.
• All physical data is kept in a locked cabinet.
• Staff receive data privacy training and must abide by policies including clean desk, no personal devices, and remote work requirements.
• All staff must request authorization from the Director prior to being given access to information with PII.
• All computers and laptops have firewall and anti-virus protection.
• All employee accounts are password protected.
• Data is encrypted in motion and at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The services we provide are in alignment with the needs assessment based on the school population. Our food panty aims to reduce food scarcity for families in need with our high need families being able to utilize our food panty every 2 to 3 weeks and our low need families a couple of times per year. Our afterschool program aims to reduce the number of students in of afterschool services. We work with the other CBOs in the building along with the school leadership team to identify and prioritize students and families that are in need of after-school services. We meet with the school leadership team formally on a quarterly basis as well as keeping an open line of communication in terms of highlighting new needs that the school community may need, for example offering workshops on topics such as identify theft. We determine the effectiveness of such services by eliciting feedback from the school leadership team as well as the school community itself. The PII which we have access to are necessary for student identification, family communication, and record keeping purposes for the services we are providing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 Enterprise.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise’s data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.

CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and an SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols. CPC staff also participate in an annual cyber security training to ensure staff are aware of digital threats to privacy such as malware and phishing.

Physical copies of community member information such as intake forms will be filed into participant folders and kept under lock and key in a file cabinet with only designated staff access (Program Director, Program Aide, and if appropriate Division Lead and Chief Program Officer). Staff are trained during onboarding not to leave files out in the open and to return files to the cabinet as soon as possible.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Project Pivot)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The services and activities are aligned with violence prevention by providing the following: specialized and intensive academic coaching supports for students who need to be reengaged in the schooling and learning process; targeted and tiered supports to improve student attendance in school; engaging and connecting families to resources; classroom focused behavioral services and strategies to ensure students are able to get the most out of each lesson, remain on task, and meet the learning objectives for the day; and offering in‐school and after school tutoring. CPC will be evaluating the program through participant’s daily attendance, report cards and feedback through surveys and weekly evaluations. The PII shared with CPC will be student names, student ID, addresses, phone.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity‐owned and/or internally hosted‐solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII will be maintained and tracked at the school level and store in a secured filing cabinet. Attendance and Email correspondence with students are kept on Office ‐ OneDrive & Outlook. Our Office Suite includes Two‐factor authentication (2FA), which is an identity and access management security method that requires two forms of identification to access resources and data. This safeguards our most vulnerable student data information

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Project Reach)

Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: The Chinese-American Planning Council, Inc. (CPC) Project Reach program will provide Department of Education (DOE) funded MTAC R1155 for Components of 1) Social Emotional Learning, 2) Respect for Diversity and 3) School Culture and Climate/Approach to Establishing and Sustaining a Positive School Culture as part of the services to promote safe and supportive school communities. DOE Principals, through this contract, request CPC Project Reach staff to provide workshops and trainings to support and enhance safe school cultures for youth, families and staff of DOE schools.

While it is not the policy of CPC to retain protected information, identifiable information may be kept in certain records required to work with the DOE, such as sign-in sheets showing attending students' names which are generally collected to verify that workshops were provided.

CPC Project Reach, to evaluate its own services, shares an anonymous survey at the end of a workshop for students, family members and/or school staff. No identifiable protected information will be requested and any results reported in the aggregate.

Occasionally, CPC staff, usually by request of city or state agencies, may ask for student or staff home zip codes to better understand where in NYC Project Reach has had a possible impact. This information is collected but only shared in the aggregate.

How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Any CPC subcontractors, authorized persons or entities will adhere to the protocols and protections set forth in Education Law § 2-d.

CPC uses several services such as internet providers like online Microsoft 365 Enterprise services and some technical vendors who support our program administrations/operations. Any technical vendors CPC retains will honor those protections for students and participant information to meet the standards of the Education Law § 2-d.

CPC has insurance in place and follows a yearly review of IT and technical processes agency wide to ensure best practices are continuously reviewed, monitored, and improved annually.

When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE-funded MTAC R1155 program, or upon request by the DOE, CPC can provide the appropriate certification that destruction of data related to any protected information is completed. In general, CPC's current practices involve maintaining data for the prescribed period of time per the requirements of the funder, City, New York State or federal guidelines. After this, CPC destroys all paper documents on-site or through a third-party vendor specializing in this process/activity. Digital records are deleted and servers scrubbed.

If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise's data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.

How the data will be encrypted (described in such a manner as to protect data security): CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and a SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols.

Circle Blocks EDU (also called PlaBook)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PlaBook is an innovative reading technology platform designed to assist children in developing their reading skills. Leveraging artificial intelligence, natural language processing, gamification, and speech recognition, PlaBook offers a range of services to make the learning process engaging and effective. Our platform provides interactive reading exercises, personalized assessments, and adaptive learning experiences tailored to each child’s needs. Through a combination of AI-driven feedback, gamified elements, and speech recognition features, PlaBook helps children improve their reading fluency, comprehension, and vocabulary, fostering a love for reading while enhancing their overall literacy skills.

While PlaBook may collect Personally Identifiable Information (PII) from users, it is solely for the purpose of delivering personalized and tailored learning experiences. PII helps us create individual profiles, track progress, and provide targeted recommendations to optimize the learning journey for each user. However, PlaBook ensures that all collected PII is securely stored, encrypted, and handled in compliance with privacy regulations. User consent and data transparency are fundamental principles that guide our approach to maintaining the privacy and security of PII within the PlaBook program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS S3 storage, AWS RDS Database, AWS Redis caching, Cloudflare firewall and SSL protocol.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. No one has access to AWS server other than the applications. Caching server and DB is only allowed from approved IPs. Database and caching server password rotation every 6-9 months. We are using Cloudflare firewall protection for DDOS attack and other known attacks. Application is using token authentication for api protection.

• Data Encryption: All personal data will be stored and transmitted using strong encryption methods to prevent unauthorized access or interception. All data is encrypted at rest and in transit.
• Access Control: Implement strict access controls based on the principle of least privilege, ensuring that only authorized personnel can access and manage sensitive data.
• Data Encryption at Rest: Use encryption mechanisms to encrypt PII stored in databases, file systems, and backup archives. Employ native encryption features provided by the database or storage systems.
• Data Encryption in Transit: Utilize secure communication protocols like SSL/TLS for encrypting data in transit between systems and during data transfers.
• Access Control and Authentication: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to ensure that only authorized users can access PII.
• Security Audits: Regular security audits and vulnerability assessments will be conducted to identify and address potential weaknesses in our systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Circles Learning Labs

The exclusive purposes for which Protected Information will be used: Our goal is to provide an easy, fast and reliable meeting platform. For this reason, we ask for and store minimal information; first name, last name and email. Your information is stored in a safe and protected environment (encrypted at rest and in motion). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share data with external parties. Employees of Circles are required to sign a non-disclosure agreement when starting their work agreement with Circles. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All meeting data is stored for 2 hours after the end of the conference, after which it is deleted. During this time, any user can choose to download the chat from the meeting room should they wish to save the data. Additionally, a user can make notes during a meeting and share these with others later. Participant attendance to a meeting is recorded, as is the duration (much like you’d expect from a phone call record.)

City Year New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Data will be used to monitor progress and complete compliance reports regarding attendance rates, academic outcomes in math and ELA courses, and behavior.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under federal law, due to our AmeriCorps grant, City Year is required to retain student data for 7 years. At the end of the retention period the data will be deleted.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. City Year has a comprehensive security program documented in our Written Information Security Program (WISP). We require all staff and ACMs to read and attest to following our data security and breach policies. Furthermore, we provide annual cybersecurity training and student data protection training. Access to any data requires a password and multi-factor authentication. We have a security incident process. We have selected high-quality IT cloud vendors to manage our systems with PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Claire Weisz Architects LLP (also called WXY)

Type of Entity: Commercial Enterprise

Contract Start Date: 9/1/2021 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WXY will lead in development of a comprehensive review of the status of each recommendations presented in the D15 Diversity Plan. WXY will primarily use interviews and stakeholder meetings, combined with data analysis to report on how relevant stakeholders in the D15 community have approached implementation in the three years since the plan’s release.

In the Spring of, 2021, WXY conducted an initial review of the status of the Plan’s implementation and synthesized the findings into a presentation Superintendent Anita Skop delivered to the CEC on April 29, 2021. WXY will expand on that initial presentation and will conduct interviews and analysis with the D15 leadership, the DOE offices responsible for implementing recommendations, and with the wider D15 community to compile a more thorough progress update. Additionally, WXY will conduct a wide range of data analysis in support of District 3 and District 13’s New York State Integration Project grants including the analysis of student level data.

WXY will support D14’s District Equity Initiative. WXY will take responsibility for organizing and performing all work in a timely manner and ensure the various elements effectively build on one another. WXY will introduce the process to up to six identified stakeholders, collect reflections and input, and share out with D14 leadership. WXY will work closely with D14 leadership to establish a D14 Equity Working Group, comprised of stakeholders from across District 14, as deemed appropriate by the DOE. WXY will conduct data research on Equity Audit best practices and precedents. WXY will conduct data analysis in support of a district wide equity audit.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Established data management workflows will be employed when transferring, storing, and using the data. Clear roles within the Processor organization will be established at the outset of the project, distinguishing responsibilities for obtaining, analyzing, and deriving insights from the datasets. Furthermore, raw data will be formatted, analyzed, and presented using industry-standard conventions and best practices. Each of these responsibilities will be allocated based on the Processor’s policies governing confidentiality and prior experience interacting with sensitive information. Any identifiable information linked to the datasets that is unnecessary to perform the stated scope of work will be erased. Any derived products will be de-identified and presented at a resolution that is consistent with the Processor’s standards as well as the BOE’s requirements for internal use and for external publication. Clear communication channels between analysts, communications managers, project managers, and the public will be clearly identified to interface between the Processor and BOE. These functions address the Control-P and Communicate-P functions of the NSIST Privacy Framework.

Access to the raw data will be limited to personnel identified to the BOE. Each personnel will receive an overview of this document, the sensitivity of the Protected Information, and the repercussions of violating local, state, and federal privacy laws before finally being introduced to the dataset. The Processor intends to limit the number of personnel interacting directly with the data to the bare minimum.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Class Act Photographers

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Class Act Photographers is a school photography company providing graduation, outdoor, and senior portraits as well as yearbooks, panoramas, mosaics, composites, and ID cards. PII is to distribute school photos for IDs and yearbooks.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Class Act Photographers acknowledges that student information, including name, address, identification number, and any other personally identifiable information, is confidential under federal and state law. We agree to maintain student information provided to us in a secure chain of custody and limit access to the information to only authorized persons within our organization having a need for the information. Student data will be transferred to Class Act Photographers via our secure Class Act Photographers portal which uses the latest SSL encryption and offers the security of a complete chain of data custody from point of submission, to receipt, to import. We acknowledge that the student information has been provided to us solely for student yearbook portraits, portrait package purchasing, student photo identification cards and for the purpose of communicating picture day details. We further agree not to disclose any student information to a third party without the prior written/digital consent of the parent of the student or, if 18 years of age or older, the student. We agree not to retain student identification numbers assigned by the District after completing our services relative to student identification cards. All data will be wiped from our database at the expiration of the portrait services agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Class Companion

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/3/2023 – 10/3/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Class Companion is an educational software that enables teachers to give instant, high-quality feedback on written assignments that the teacher can customize and control. The result of this feedback is that students receive unlimited, low-stakes practice without overburdening the teacher. Districts use Class Companion in order to: reduce student fear of failure, increase student engagement, accelerate the pace of learning, increase the energy teachers can spend on instruction and discussion, and reduce teacher burnout. Class Companion will be provided for any teacher who would like to incorporate it into their classroom workflow.

Class Companion is a two-sided web application. Teachers create accounts first. Teachers may then invite students to create accounts. Teachers have full visibility and control over how students use the platform. Teachers add assignments, students complete assignments on the platform, and students receive instant AI-generated feedback based on the teacher’s rubric and assignment design. Teachers can override any AI feedback, and students can dispute the feedback to initiate dialogue with teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Render.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Render hosting provider encrypts all sensitive data, both at rest and in transit. The underlying services automatically use industry standard AES-256 encryption for storage. All endpoints support TLS 1.2 and above for encryption in transit with an A+ grade from SSL Labs. Vanta automated security and compliance platform is used to ensure continuous security compliance for all employee devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Class Solver

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Class Solver is SAAS that helps schools create their best class lists in a fraction of the time. It takes into account gender, requests to pair and separate students and factors that are chosen by the school.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative: All staff undergo annual cyber/privacy training, yearly code of practice, conflict of interest and non disclosure agreements/attestations. All staff are police background checked upon on boarding. All staff with system access are managed by Role based Access control to sensitive data. All PII data in databases and back end systems are database masked and encrypted.

Technical: all data in transit and rest are encrypted with AES256, MFA enabled for all staff accounts and available for schools/teachers. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Class Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For the provisioning of the Class virtual classroom SaaS offering to the NYC DOE.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable  Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Critical, confidential, and sensitive client information and information processing systems must be physically protected from unauthorized access, damage and service disruption. Such protection will be in accordance with the physical security policy and the information classification policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ClassDojo

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClassDojo is a school communication platform that helps bring teachers, school leaders, families, and students together. Among other things, ClassDojo provides the following services through its platform:

• Communication tools to help teachers, students and parents connect with each other
• A way for teachers to give feedback and assignments to students, and other classroom management tools
  • A way for teachers to share photos, videos, files, and more from the classroom for parents and students to see
  • A way for parents and students to post comments and “likes” on Class Stories and School Stories
• Student portfolios, where students can share their work with teachers and parents
• Activities and other content that teachers or parents can share with students. 
• A way for school leaders to see how connected their school community is, and also to communicate with parents and other teachers and school leaders
• “Dojo Island”- a virtual playground for kids and their classmates where they’ll explore a variety of activities focused on creativity and collaboration to explore, build, and live in a world with their classmates.

It’s important to note that this document does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

“It’s important to note that this does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud, AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Consistent with industry standards, ClassDojo shall employ the following administrative, physical, and technical safeguards:

Infrastructure Security

• Encryption at Rest and In Transit
• Access to the ClassDojo Service occurs via encrypted connections.
• (HTTP over TLS, also known as HTTPS) which encrypt all data before it leaves the ClassDojo Service's servers and protects that data as it transits over the internet. All of our Services are in Amazon Web Services (AWS) and served from either Cloudfront or Elastic Load Balancer (ELB). We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections and our TLS configuration receives an A+ from Qualys SSL Labs.
• Student Data is stored at our Service Provider, AWS, and the following applies to their technical and organizational measures. In addition, we secure decentralized data processing equipment and personal computers. All personally identifiable information is encrypted at rest using modern encryption algorithms. In AWS S3, we use AES-256 with AWS managed keys, in Aurora (MySql) we use AES-256 with customer managed keys and in Redshift we use AES-256 with AWS managed keys. Additionally, we use MongoDB with AES-256 with keys managed by AWS.

Network Security

• The ClassDojo Services use AWS, to host the infrastructure. AWS undergoes strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. See https://aws.amazon.com/compliance/programs/ for more details.
• Network access to the ClassDojo Services infrastructure is highly restricted. AWS hosted infrastructure resides in a dedicated Virtual Private Cloud (VPC) which is designed to ensure that only authorized traffic over approved ports is allowed. We use ThreatStack to monitor for suspicious activity.

Patching

• We use automated processes to regularly install security updates on the infrastructure that powers the ClassDojo Services, these processes include:
  • AWS Managed Services (e.g., Relational Database Service):** AWS proactively notifies our engineering team when updates are available and we apply them in a timely fashion.
  • AWS EC2:** All EC2 instances are monitored by ThreatStack and AWS inspector and updates are applied in a timely fashion
  • Classdojo Application:** Monitored by Snyk.io and Github for vulnerabilities and they are updated in a timely fashion.

Backups and Availability Control

• We have a data backup and recovery capability that is designed to provide a timely restoration of the ClassDojo Services, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in multiple availability zones. Additional technical and organizational measures to ensure that Student Data are protected against accidental destruction or loss (physical/logical) include:
  • Uninterruptible power supply (UPS);
  • Remote storage; and
  • Firewall systems.
• Note: Student Data is stored at our Service Provider - currently AWS - and the above applies to their technical and organizational measures as well as any other relevant such as MongoDB. In addition, we have a disaster recovery plan in place.

Physical Security

• Physical Access Controls
• Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Student Data are Processed*, include:
  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);and
  • Surveillance facilities, video/CCTV monitor, alarm system.
• Note: The ClassDojo Services are currently hosted in AWS and Student Data is stored at our Service Provider - currently AWS – which employs industry- leading physical security measures to protect their data centers and the above applies to their technical and organizational measures. These security features are regularly audited by third -party auditors.

Virtual Access Control

• Technical and organizational measures to prevent data processing systems used for Student Data from being used by unauthorized persons include:
  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password); and
  • Encryption of archived data media.
  • Data Access Control
• Access to the ClassDojo Services infrastructure is highly restricted. We limit access to individuals who need access to do their jobs such as engineers, data scientists, product managers, and support personnel. All access to our infrastructure is logged. All access to our infrastructure requires the use of strong passwords and multi-factor authentication.
• Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Student Data in accordance with their access rights, and that Student Data cannot be read, copied, modified or deleted without authorization, include:
  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access personally identifiable information without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure;
  • Deletion procedure;

Disclosure Control

• Technical and organizational measures to ensure that Student Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Student Data are disclosed, include:
  • Encryption/tunneling;
  • Logging; and
  • Transport security.

    Entry Control

• Technical and organizational measures to monitor whether Student Data have been entered changed or removed (deleted), and by whom, from data processing systems, include:
  • Logging and reporting systems; and
  • Audit trails and documentation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Clever Prototypes (also called Storyboard That)

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Storyboard That Education Edition for Teachers and Students. Storyboard That is a web-based product for teachers and students. With our Award-Winning Storyboard Creator, teachers and students can create storyboards, graphic organizers, comics, and powerful visuals to enhance their learning in all grades and subjects. We have over 5,000 resources for teachers to easily integrate Storyboard That meaningfully into their curriculum. PII Collected: IP Addresses of users, use of cookies, students school of enrollment, student grade level, student scheduled courses, teacher names, student app username, student app passwords, student name first and/or last, student generated content such as writing and pictures.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Privacy-centered design means that students can use Storyboard That with as little PII as possible. Student accounts and all relevant personal data may also be deleted at any time.
• To keep your personal data secure, all data is encrypted in transit and at rest.
• Data is stored in access-controlled data centers with 24/7 monitoring by Microsoft Azure, an industry-leading provider.
• Employee access to personally identifiable information is provided on an as-needed basis, to provide customer support for example.
• Employees with access to personal data are required to undergo background checks, sign a nondisclosure agreement.
• Storyboard That has signed the Student Privacy Pledge.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Clickview

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClickView is an educational video platform specializing in K-12 video resources. ClickView lets teachers find and share video that engages students in a format they understand. The ClickView platform also lets teachers transform videos into interactive quizzes with formative assessment tools to show evidence of learning and engagement. ClickView receives PII to enable it to provide the platform to students, teachers and school or district administrators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative safeguards include the documentation of policies and processes, the allocation of roles and responsibilities, training, risk management, human resources security, asset management, access management, system hardening measures and data logging. Physical safeguards include physical security systems, entry controls, equipment maintenance, equipment security, controls against physical damage and environmental controls. Technical safeguards include encryption, firewalls, antivirus, intrusion detection system and intrusion prevention system, authentication, data retention and database separation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Code.org

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Code.org® is a 501(c)(3) nonprofit that provides an online curriculum for teaching computer science and an online learning platform to support that curriculum. Access to its CS education platform and curriculum for free. For more information please visit https://code.org. The PII processed by Code.org is necessary in order to provide the service and retain student progress (e.g., teachers may enter a student name in the teacher’s section so the teacher can identify the student’s progress vs. that of other students).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

“The Services are intended for use both within schools (i.e., as part of classroom sections established by teachers in the K-12 setting) and outside of school (i.e., for use at home and not for K-12 school purposes). Upon the NYC DOE’s request, following a process outlined between the DOE and Code.org, Code.org will ensure the deletion of all Code.org student accounts enrolled in a DOE’s teacher’s section In the absence of a deletion request by the teacher, the DOE, or student (as the case may be), the Code.org Personal Data Retention and Deletion Policy provides for automatic deletion or de-identification of Code.org student accounts after five (5) years of inactivity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Platform hosting: Amazon Web Services (AWS); Other service providers used for internal operations: AnswerDash; Atlassian; Dropbox; Google (G-Suite); Honeybadger; Slack; Tableau; Trevor; Twillio; and Zendesk.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Code.org employs a mix of physical, administrative, operational, and technical safeguards designed to reasonably protect the confidentiality, availability, integrity, and security of Student PII and Protected Information. These safeguards include, for example:

• Data Minimization. Code.org follows strict data minimization standards in order to collect and process as little Personally Identifiable Information as necessary to provide the underlying services and measure.
• Encryption of data in transit. Code.org employs industry standard encryption technology to protect information and data transmitted over the internet or other public networks.
• Encryption of data at rest. Code.org employs industry standard encryption technology to protect personal information in storage (at rest) and other non-PII in storage when commercially feasible.
• Data storage and server hosting. Code.org utilizes a leading cloud services provider - Amazon Web Services (AWS) data centers located in the United States – to host the Code.org services and relies on AWS for server and datacenter security, including restrictions on physical access to the datacenter.
• Data access control. Code.org uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources or user data. Internal asset owners are responsible for granting access based on the users’ role, and access is reviewed periodically.
• Employee Background Checks and Non-Disclosure Agreements. All Code.org employees must sign a non-disclosure agreement and pass a background check.
• Employee Privacy and Security Training. All Code.org employees are required to complete privacy and information security awareness training upon hire and periodically thereafter. Such training covers applicable federal and state privacy laws, security risks and practices, and other related information.
• Vulnerability and Patch Management. Code.org uses a variety of tools, practices and procedures to monitor and protect our data and systems. Code.org maintains a vulnerability disclosure program that fields reports from security researchers, and reports are promptly triaged, prioritized and addressed according to their severity.
• Periodic Risk Assessments. Code.org conducts periodic risk assessments and remediates identified security vulnerabilities in a timely manner.
• Data Backup and Disaster Recovery. Code.org regularly backs-up production data so that it can be restored if necessary, and maintains a disaster recovery policy and process.
• Information Security Incident Response. Code.org maintains an incident management plan for data security and privacy incidents that may affect the confidentiality, integrity, reliability, or availability of systems or data.
• Passwords and Two-Factor Authentication. Code.org secures usernames, passwords, and other access means using industry standard methods, and most internal systems utilize two-factor authentication as an additional access control.
• Risk Management. Code.org employs a cross-functional risk management process to identify and manage strategic, operational, and compliance risks. A variety of methods are used to assess and manage risk, including policies, procedures, and use of industry standard tools to monitor and protect data and systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

CodeCombat

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CodeCombat provides a web-based computer science curriculum platform for NYC DOE schools. A minimal amount of student PII is collected in order to provide authentication, rostering, and classroom management features to students and teachers. For example, when not using an SSO provider, students are asked for usernames and passwords to provide authentication, and optionally an email address for password resets. Similarly, student first name and last initials are requested so that teachers can associate student progress to students on the web dashboard. Student PII is never used for marketing or commercial purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CodeCombat Inc. agrees to abide by and maintain adequate data security measures consistent with industry standards and technology best practices, to protect PII from unauthorized disclosure or acquisition by an unauthorized person. Contractor shall secure usernames, passwords, and any other means of gaining access to PII, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. Contractor shall only provide access to PII to employee or contractors that are performing Services. Employees with access to PII shall have signed confidentiality agreements regarding said PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CodeHS

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CodeHS is a web-based platform that provides coding curriculum, teacher tools and resources, and teacher professional development. Student data is accessed in order for teachers to determine student accounts using our platform. Students complete assignments relating to their computer science courses.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We use several techniques to ensure that PII is protected at all times. First, we use industry standard encryption for all data at rest and in transit using AES-256, TLS 1.2, and HTTPS. All data is stored securely in AWS - employees are only able to access data within AWS if they have the necessary permissions and authorization. To minimize access, we use the Principle of Least Privilege. Additionally, data access within the app is separated from data of other clients using logical controls and user-based permissions. To mitigate further security risks, we require MFA when available, strong passwords, and hold regular security training and reviews for all employees. We also have a data deletion plan that will dispose of all PII at its "End of Life" according to our Date Deletion Plan.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CodeMonkey Studios

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student PII is used in order for the student to login to its individual account and for the system to identify and monitor the student's progress.

Type of PII that the Entity will receive/access: Student PII. “We do not require the name of the student, each student will use an alias and/or the system will assign the student a unique identifier. In addition, students who are signing in through a single sign on, i.e. Clever, CodeMonkey will receive the email of the student.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is accessible only to a handful of individuals within the company. Those individuals receive a bi-yearly review by our Security and Privacy officers and update on privacy and security related issues. There are also mechanisms in the system that do not allow un-authorized personnel to enter PII, which is reviewed and updated periodically.

From a technical level, we comply with all data and privacy related matters, whether we are COPPA compliant, the data is encrypted in both motion and rest, we have systems in place to monitor threats and mechanisms to deal with it, a firewall being one of them. Additionally, we constantly improve our system best to industry standards, we have processes in place to deal with attacks/threats/downtime etc.

From the human side of things, we have a security officer and a privacy officer that each conduct a bi-yearly training to all employees, regardless if they have access to PII or not. Furthermore, as mentioned only a handful of people have access to PII. All these policies are in place and constantly being updated.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

College Board (for BlueBook Application, PSAT and SAT Tests) 

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. College Board’s testing application, Bluebook™, and College Board’s test day toolkit are used by NYC DOE and its students in connection with the delivery of College Board’s SAT® Suite of Assessments and related score reporting.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected Other: “College Board will destroy all PII upon termination of services except that which is necessary to provide students and state education authorities and the NYC DOE continued access to assessment scores and related information.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. College Board takes protection of personal information seriously College Board follows industry standard security practices to protect the personal information submitted to us, both during transmission and once it’s received. College Board is certified by third-party auditors annually, provides annual SOC 2 reporting on our information security program, and is PCI compliant. These practices help us proactively manage risks and controls. College Board never asks students, parents, or other individuals to send credit card, bank, or password information over the phone or by email.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

College Board (AP Exams)

Columbia University, Center for Public Research and Leadership (CPRL)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Columbia University will perform system-wide program evaluation services for NYC DOE. The specific program(s) to be evaluated will vary depending upon the particular engagement, and might include, for example, reviewing an NYC DOE program designed to improve student outcomes and success to help the NYC DOE understand the quality of the program and opportunities for improvement. Columbia University will receive very minimal PII, if any, for any given engagement. PII would include only a small number (per project, approximately 10 - 50) current student names and email addresses in order to contact students to involve them in the particular project by soliciting their input and feedback.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Center for Public Research and Leadership (CPRL) at Columbia University will use and store the PII it will receive from NYC Public Schools in accordance with Columbia’s Information Security Charter and the information security policies referenced within the charter. The description below is not a complete list of all safeguards provided for by those policies, full versions of which are available on Columbia University’s website.

CPRL will use PII received from NYC Public Schools only for the limited, agreed-upon purposes. Only authorized users will have access to the PII. Each user will ensure that their account or password is properly used and is not transferred to or used by another individual; log off from a system or computer after completing use; and ensure that PII is protected with a password and encrypted while in transit or storage. All desktops or laptop computers used to access or store PII: are password protected; run vendor supported operating systems that are automatically updated and have up-to-date security patches installed; have an activated and configured firewall; have antivirus, anti-spyware and monitoring programs installed to perform continuous and/or scheduled scanning to detect and/or prohibit unauthorized access; are configured to lock after 15 minutes of inactivity; are backed up regularly; and are physically protected and not shared with unauthorized persons.

All email systems used by CPRL are conducted through email systems that are risk-assessed and approved by Columbia University. Email systems are protected by virus, spam and phishing mail filtering software that includes features such as content analysis and real time blacklists, and email accounts are monitored to detect and disable compromised accounts on a timely basis. All email communications containing PII will be encrypted.

All CPRL employees and subcontractors with access to PII are trained in and continually reminded of these procedures and protocols. All contractors with access to PII are required to sign a nondisclosure agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Columbia University, College of Dental Medicine

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2024 – 6/30/2032

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Oral Health Care Provider operates a School-Based Health Center-Dental (SBHC-D) in a fixed or portable setting. SBHC-Ds are school-based dental sites affiliated with NYC Public Schools that provide a range of dental services. At minimum, this includes examination/screening and preventive dental care. Additional more comprehensive care such as restorative treatments may be available. PII is collected for registration of patients.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., EPIC EHR.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Encryption
• Password Protections
• Mandatory Login & Access Controls
• Physical Security Measures
• Confidentiality Agreements & Training 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CommonLit

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Software as a service: online digital reading and writing lessons
• Professional development for teachers
• Access to assessment series
• Canvas integration (rostering, grade passback, CommonLit lessons available to students on Canvas)
• Rostering support options with Clever rostering, ClassLink rostering and Google Classroom

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CommonLit encrypts data at rest and in motion; administrative operational, and technical best practices are followed; staff receive training on data security and privacy and best practices. Access to facilities is limited by physical security measures (locks, etc.) and virtual assets are tightly controlled by a limited policy that’s limited to engineering and user support teams, with user support receiving less access than engineers. Credentials are regularly rotated, including upon termination or departure of any member with access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Community Counseling and Mediation Services (CCMS)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CCMS offers educational support to socially vulnerable students and their families, helping them stay on the path to a successful future. Services are provided at the Humanitarian Emergency Response and Relief Centers, where CCMS counselors assist families in emailing their children in school, scheduling vaccine appointments, and navigating other NYC agencies. To provide these services, CCMS uses PII to directly assist with busing, school enrollment, vaccine appointments, and more.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Community Counseling and Mediation Services (CCMS) is committed to protecting the privacy and security of Personally Identifiable Information (PII) in compliance with NYC DOE requirements. Below is a description of the administrative, technical, and physical safeguards we will implement to ensure the protection of PII and to mitigate data privacy and security risks.

Secure Storage: Store personal data in secure systems with appropriate technical and organizational measures to prevent unauthorized access, loss, or destruction.

• Technical Safeguards
  • Encryption: Utilize advanced encryption technologies for data at rest and in transit.
  • Multi-factor Authentication: Implement multi-factor authentication for systems accessing protected information.
  • System Updates: Regularly update and patch software to protect against vulnerabilities.
• Administrative Safeguards
  • Training: Conduct regular training sessions for all employees on data privacy and security protocols.
  • Access: Implement strict access controls (e.g. MFA, Role-based access control, principle of least privilege) to ensure only authorized personnel can access PII.
  • Policy: Develop and enforce a comprehensive data privacy policy that includes guidelines for handling, storing, and disposing of PII.
• Security Training and Awareness
  • Employee Training: Provide annual training to all employees on data privacy and security practices, and their responsibilities under this policy.
  • Policy Awareness: Ensure that all personnel are aware of this Data Privacy and Security Plan and understand their roles in protecting personal data. Provide ongoing education to keep staff updated on the latest security protocols and threats.
• Mitigation of Data Privacy and Security Risks
  • Risk Assessments:
    • Regular risk assessments to identify potential threats to data privacy and security.
    • Implementation of mitigation strategies based on risk assessment findings.
  • Continuous Improvement:
    • Regular audits and reviews of security measures to identify areas for improvement.
    • Adoption of new technologies and practices to enhance data protection continuously.
  • Vendor Management:
    • Ensuring third-party service providers comply with our data privacy and security standards.
    • Regular assessments of third-party providers to ensure ongoing compliance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Community Initiatives of NY

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/2023 – 6/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Our organization (TCIONY) focuses on teaching Social Emotional Learning inside the classroom by preparing and developing the self-awareness, self-control and interpersonal skills that are vital for school, work and life in the student’s. Some of the topics the students will explore are: decision making, conflict resolution, positive self-image, peer-mediation, mentoring, mental health, communication skills, leadership skills, entrepreneurial workshops, behavioral management, social awareness, relationship skills, self-care, job readiness and much more. We do this by facilitating small student workshops in the classroom - usually 12-15 students as well as 1:1 mentoring. In addition to our social emotional curriculum, our organization also has a Community Engagement Team who are a group of credible messengers, therapists, social workers, retired Law Enforcement and educators working to bridge the gap between law enforcement, school safety and the youth. This team focuses on the youth who are at higher risks of failing academically, falling behind due to attendance, or are at a higher risk of behavioral or social issues on school campuses. The team aims to help change the students behaviors through mentoring, evidence based workshops and supporting them in their decision making. We also work closely with NYPD Options in facilitating Emotional Intelligence through Virtual Reality. We have facilitators that are retired NYPD officers as well as on our board. We are deliberately seeking to bridge the gap between law enforcement and the community, especially the youth.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Sheets.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards that TCIONY uses to ensure all PII data will be protected are as followed: 1.) We encrypt any sensitive/PII information that must be transmitted 2.) Failed logons to our internal server will lock accounts after 2 failed attempts. 3.) Any personal computer used to access information will require anti-virus software and patch levels on their machines. 4.) Authentication will be required for all user machines at startup 5.) Account termination with 2 hours of employee being terminated, staff change, suspension or change of job function. 6.) Guest access will not be allowed under any circumstance!

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Community Software Solutions, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSS provides software to NYC DOE internship program. NYC DOE utilizes the software to manage the internship program. The PII that is processed by CSS and the DOE internship application is necessary for hours entry, payment processing, distribution, tax payments and reporting.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our management team works with out information technology and risk compliance team to implement administrative, technical and/or physical safeguards to ensure PII will be protected. These administrative, technical and/or physical safeguards include:

• Implementation of policies and procedures that govern human resources, information technology, information security, incident management, and data management practices performed within the company.
• Implementation of people, processes, and technology that support the implementation and operation of established policies, procedures, and practices established by management to protect customer data and PII.
• Execution of contractual obligations with third-party vendors and sub-contractors to communicate their commitments for security, confidentiality, and privacy and bind them to these commitments.
• Performance of periodic risk assessment and internal audit activities to evaluate the state of business operations and their alignment with the policies, procedures, and the protection of customer data and PII.
• Performance of period risk assessment and internal audit activities to evaluate third-party contractor services and practices for security, confidentiality, and privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Community Studies

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSI provides school support to 34 DOE schools, including curriculum and resource creation, professional development, and classroom coaching for school staff. PII of individual students is received in the course of communication and discussion with teachers and school leaders about school and instructional improvement efforts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All CSI employees and contractors receive training on ensuring the confidentiality of student PII that they may receive during their work. All email communication and documents shared between employees and DOE staff are managed via cloud services platforms, which use TLS encryption. Files uploaded or created in Google Docs are encrypted in transit and at rest with AES256 bit encryption.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

COMPanion Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alexandria Library automation will be implemented at a number of schools within the DOE to manage and maintain library and curricular resources for teachers and students. COMPanion Corporation does not collect any PII for company purposes, other than patron first and last names. Patron first and last names are required to enter a patron into Alexandria Library automation to create a patron record. This information is used to identify a student or teacher for circulation purposes only. The system can assign a patron number that is not related to any patron personal information, so student PII such as school ID number or social security are not required. Our customers determine what they require for the management of their individual libraries. The DOE has the flexibility to share whatever PII information they choose with Alexandria, but as noted above, only the first and last name are required.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. COMPanion does not sell customer data or make available to 3rd party companies for commercial purposes. Any data shared with sub-contractors will be authorized by the customer. Our hosting services run on secured private networks running all current security protocols. All outside connections are secured connections protocols (HTTPS) and no outside access to internal Data is permitted. Every customer database is stored separately from all other customer databases for added security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Comprehensive Youth Development

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CYD functions as an embedded service provider within the contracted school to provide individual college and career advisement services to students information is utilized to manage who is served and units of services provided to each student. It is necessary to accurately identify the student to record and report back to the school administration the specifics of the services provided and the student’s progress within the scope of the contract. Beyond providing real-time data to the school, and providing data to the National Student Clearinghouse on behalf of the contract school, no PII is necessary or employed for outward facing reporting. Such reporting is restricted to PII-blind, cumulative data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Symantec. Symantec Endpoint Protection is employed on DOE workstations used by CYD staff.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff will be using multi-tiered authorization to access cloud based service logs. All public facing reporting is summary data and does not include PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Core Collaborative

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TCC coach/employees provide professional learning on the formative practices and effective teaming protocols for educators. Our coaches will teach educators protocols to analyze data (numeric scores, numeric grades, assessment item responses) to understand their professional impact on student learning, and determine instructional next steps. NYCPS educators will look at their classroom data reports using their assessment systems and written student work without names. TCC Coaches will ask intentional questions to guide analysis of NYC educators getting at the root cause of student performance.

TCC coaches/employees may potentially access PII during our process but we do not collect, process, or transmit data from the NYCPS systems or assessment platforms.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: TCC does not store or receive PII data. TCC only accesses/may access PII, therefore there is no need to delete or destroy.

Challenges to Data Accuracy. The Core Collaborative is not storing PII.

Security and Storage Protections. Describe where PII will be stored or hosted. The Core Collaborative is not storing PII.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All Core Collaborative coaches and employees are trained in federal and state requirements concerning privacy and data security annually. TCC may access student PII during our process but does not collect or receive PII data. If there is a breach or unauthorized disclosure, we will contact the district superintendent and principal within 24 hours as required by regulations. Upon detection of a potential incident, TCC will assemble a response team comprised of IT security professionals, legal advisors, and relevant stakeholders to address the situation. To prevent further disclosure, immediate actions will be taken, such as suspending access to affected systems, implementing additional access controls, and patching security vulnerabilities. At the NYCPS's direction, we will notify affected individuals such as students and parents/guardians about the incident, its impact, and the steps being taken to address it. We will cooperate fully with any investigation with the NYCPS and law enforcement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  No PII will be stored or hosted by Entity.

Coughlan Companies (for Buncee and PebbleGo)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Buncee is a K-12 creation and communication tool that allows students, educators, and administrators to create and publish original and authentic content. This platform is delivered through Buncee for Schools & Districts or Buncee Classroom. These products do have individual student accounts. Buncee for Schools & Districts accounts can be created by syncing Google Classroom or Microsoft 365 roster data with Buncee, or manual upload via CSV. Buncee Classroom accounts can be created by manual entry or manual upload via CSV. The Vendor will provide an access point for students to create projects that are student friendly. Students can easily use interactive content that supports accessible reading experiences. Buncee is a web-based application that can be used on any device.

PebbleGo is the vendor’s unique database of educational curriculum with information articles, ready-made activities, and literacy supports. PebbleGo Next incorporates a streamlined interface, animated highlighting, educational videos, and games. PebbleGo Spanish provides Spanish modules, while Read More provides additional content connected to each article in the PebbleGo Animals and Science modules. The PebbleGo platform does not have individual student accounts, but rather a single building account shared by all students and educators. Vendor allows the DOE to access PebbleGo utilizing the DOE’s educators and students with access to PebbleGo through the DOE’s website or LMS and offer secure sync rostering and single sign-on (SSO). The DOE shares additional data elements with their IAM solutions, which become accessible to Vendor through the IAM solution’s portal.

The purpose of data processing is to allow Vendor to provide the requested Services to a school and perform the obligations under the Agreement. More specifically, the purpose of processing data is to enable school oversight and ensure appropriate structure and interaction within a school account. The processing of data enables the interaction, communication, creation and sharing within the  classroom/school/district account; allows educators and/or administrators to monitor accounts, set permissions and deliver educational content; allows educators to differentiate and personalize a student’s educational experience; and provides the administrator-educator-student hierarchy within the account. Vendor requires data capture and use for the following reasons:

• To confirm the identity of students and educators/administrators
• To provide educational services and content
• To allow subscribers to create and manage classes, personalize and differentiate instruction, and monitor and assess student progress
• To allow subscribers to monitor and safeguard student welfare
• To allow subscribers to set creation and sharing permissions and privacies schoolwide
• To inform existing subscribers about feature updates, site maintenance, and programs/initiatives (does not include student subaccounts).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Only those who need it to perform their duties should have access to data.

• Training and guidance is provided to all employees that will be accessing and handling data (including more specifically, student data)
• Background checks are performed on all employees
• NDAs are signed by employees at the start of employment
• All access to systems and data is revoked upon employment termination
• All data stored electronically is kept secure by taking the following precautions:
  • Use strong passwords that should never be shared
  • Servers are protected by security software and a firewall
  • Backup data frequently
  • Never disclose PII to unauthorized people within or outside of Capstone
  • Routinely monitor systems for security breaches and attempts of inappropriate access.

Measures to Protect Data: Capstone Digital Products use HTTPS connections to secure transmissions. A combination of firewalls, security keys, SSL certificates, and non-default username/password credentials secure data access. Additionally, the Buncee application has the following preemptive safeguards in place to identify potential threats, manage vulnerabilities and prevent intrusion:

• All security patches are applied routinely
• Server access logging is enabled on all servers
• Fail2ban (an intrusion prevention software framework that protects servers from brute-force attacks) is installed on all servers and will automatically respond to illegitimate access attempts without intervention from engineers
• Our database servers are not publicly accessible via the internet.
• SSH key-based authentication is configured on all servers

Capstone Digital Products use HTTPS connections to secure transmissions. The HTTPS you see in the URL of your browser means when you go to the website, you're guaranteed to be getting the genuine website. With HTTPS in place, all interactions with Capstone Digital Products will be undecipherable by an outside observer. They are unable to read or decode data. HTTPS is the same system that many sensitive websites, like banks, use to secure their traffic.

Capstone Digital Products use SSL security at the network level to ensure all information is transmitted securely. All content (i.e., photos, video, audio, and other content added to your Buncees in PebbleGo Create and the Buncee products) is encrypted at rest. All passwords are encrypted using modern encryption technologies.

Account information is stored in access-controlled VPCs operated by industry leading partners. All user information is stored redundantly and backed up in geographically distributed data centers. We utilize multiple distributed servers to ensure high levels of uptime and to ensure that we can restore availability and access to personal data in a timely manner.

The Buncee application is hosted on cloud servers managed by Amazon Web Services, who is compliant with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels. These data centers are staffed 24/7/365 with onsite security to protect against unauthorized entry. Each site has security cameras that monitor both the facility premises as well as each area of the datacenter internally. There are biometric readers for access as well as at least two factor authentication to gain access to the building. Furthermore, physical access to our servers would not allow access to the actual data, as it is all protected via encryption. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Council for Aid to Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAE develops assessments that evaluate critical thinking, problem solving, and effective written communication. CAE also provides online delivery of a pre-designed College and Career Readiness Assessment (CCRA+) for students grades 6 through 12, which is delivered online through CAE’s administration platform. Results are analyzed and reported at multiple levels including student, classroom, institution, and district.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. For the unique student identifier and associated assessment scores, the following safeguards are in place and continuously assessed:

• Administrative - access controls, data security training
• Technical – encryption, firewalls, intrusion detection
• Physical - secure facilities, access control to equipment.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Counseling in Schools

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Counseling In Schools provides services to students, students’ family members and school staff that support emotional well-being and social skill development. Before any student can receive the services of one of our programs, we must receive contact information for students’ parents/ guardians so that we may inform them of our services and request their consent for the student to participate in our services. As part of the request for consent, we explain to parents/ guardians that indicators of our impact will include attendance, academic and behavioral data collected by the Department of Education. If consent is received, in order to track progress against the above identified indicators, we request the students provide us with their Student ID, otherwise known as their OSIS number (Office of Student Information System).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Citrix: Sharefile and YouthinMind: SDQ SCoring” and “Using an Entity-owned and/or internally hosted-solution,” and “Other: Physical records are stored in locked cabinets in the schools we serve.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Counseling In Schools only uses software that holds PII that is FERPA compliant. All staff are informed of our data security policies and trained in how to keep information secure. In addition, we have engaged a data security consultant that reviews our data security systems and provides on-going security training of staff and monitoring. Any potential breaches or unauthorized attempts to access data we store are quickly reported and responded to by this consultant.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Coursemojo

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/16/2024 – 6/26/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Coursemojo's product “Mojo,” is a web-based, curriculum-aligned, AI-powered tutor that helps educators differentiate instruction by diagnosing gaps for each student and then providing them with targeted, Socratic, one-on-one and small group support. Mojo helps teachers and all students (including multilingual learners, students with IEPs, struggling readers, and advanced students) be successful with your district’s chosen ELA texts and writing assignments. In addition to direct support for students, Mojo provides grading support and generates reports for teachers, enabling them to be more targeted and effective in their facilitation of class discussions.
• Provide licenses and support for the implementation of Mojo, an AI-powered assistant teacher.
• We will access and collect the following (shared via Clever, and interactions with the product): Identifier and Enrollment Data, such as name, email, school / state ID number, username and password, grade level, homeroom, courses, teacher names
• Most of Coursemojo’s Products require some basic information about who is in a classroom and who teaches the class—student or teacher Identifier and Enrollment data. This information is provided to Coursemojo by our School Customers, either directly from the School Customer’s student information system or via a third party with whom the School Customer contracts to provide that information.
• Upon expiration or termination of the Agreement, Coursemojo will destroy/delete all PII. While the Agreement is active, Coursemojo will store PII in a separate table, isolated from all other datasets.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Coursemojo maintains a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of students’ personally identifiable information against risks—such as unauthorized access or use or unintended or inappropriate disclosure— through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.

We perform regular internal and external security scans. In addition, Coursemojo will periodically perform additional penetration testing and/or other relevant threat assessments and will perform subsequent remediation efforts based on the findings of these assessments.

We use industry standard encryption technology to protect data transmitted over the internet.   

The Coursemojo website is hosted on Amazon Web Services (AWS), and we rely on Amazon for server and datacenter security. All data on AWS is encrypted at rest in accordance with Amazon’s security practices.

Coursemojo uses role-based permissions to limit access to sensitive data and systems to our personnel who need it for a legitimate business purpose.

We follow industry best standard practices in developing our software.

Laptops provided to our employees for work purposes are managed to ensure that they are properly configured, regularly updated, and tracked. Our default configuration includes full-disk encryption of hard drives, on-device threat detection and reporting capabilities, and lock when idle for a specified amount of time. All laptops are securely wiped before we re-issue or dispose of them.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Creative Connections

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Connections provides critical wrap around Community School services and student supports intended to serve the whole child. Services focus on the four pillars: Collaborative Leadership & Practice, Family & Community Engagement, Expanded Learning Time, and Wellness & Integrated Support through the following programs:

• COLLEGE CONNECTIONS 1 (CC1): CC1 is a beginner’s exploration of the college process. CC1 helps students identify the initial steps in planning for their educational future.
• COLLEGE CONNECTIONS 2 (CC2): CC2 is a detailed exploration of the college application process. It is designed to help 11th and 12th grade students apply to colleges and secure loans and scholarships.
• CAREER CONNECTIONS (CC): CC guides students through activities and experiences that help them explore what their strengths and passions are, and how they connect to an exciting career choice.
• ELEMENTARY & MIDDLE FUTURE CONNECTIONS (EFC / MFC): EFC & MFC engage students through interactive activities that are designed to give them a practical insight into careers while learning how to create a vision for their future.
• BOYS & GIRLS CONNECTIONS (BC / GC): BG & GC empower students through social and emotional learning to develop skill sets such as conflict management, self reflection, and relationship building.
• FINANCIAL CONNECTIONS (FC): FC is a middle and high school program that addresses the fundamentals of basic personal financial planning and money management.
• TEEN ENTREPRENEUR CONNECTIONS (TEC): TEC introduces students to the exciting world of the entrepreneur, by having students create and run their own small business.
• FINANCIAL CONNECTIONS (FC): FC is a middle and high school program that addresses the fundamentals of basic personal financial planning and money management.
• ART CONNECTIONS (AC): AC introduces students to the exciting world of art, and connects them to possible future careers.
• PROFESSIONAL DEVELOPMENT WORKSHOPS: Goal oriented, interactive workshops centered around goal setting, team building, managing change, developing leaders, and more.
• PARENT WORKSHOPS: Parents will learn about financial aid, the college process, and more.

It is necessary for the Entity to receive or access PII, such as the student's name, personal identifiers, the student number, the student's date of birth, etc., to conduct the services in order to effectively communicate with all relevant stakeholders (in the mode most conducive to them), track/document/update improvement metrics, and drive tangible outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google and/or Microsoft cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Creative Connections and any subcontractors and/ or affiliates will (at all times during the Term) use encryption to protect personally identifiable information in its custody while at motion or at rest and implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is processed, comply with applicable data protection and privacy law and comply with the terms of the contract.
• Creative Connections shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the contract term.
• At a minimum, Creative Connections’ information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (h) conducting external and internal penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct the issues that are reported as a result of the testing; and (i) limiting access of Personal Information, and providing privacy and information security training to staff.

Creative Connections and its employees will adopt the following measures:

• Employees will not at any time during or after affiliation Creative Connections (CC) disclose CC Confidential Information to which they have or had access in any form (i.e., electronic media, paper, verbal etc.) to any unauthorized individuals.
• Employees will not access any record(s) they are not authorized to, including but not limited to the student or family records of any program member or co-worker.
• Employees will utilize and access only the minimum amount of information necessary for performance of their duties.
• Employees will not access or request data on students for whom they have no professional relationship and/or legitimate CC related purpose. If a given employee has reason to believe that the confidentiality of his/ her user log-in has been compromised, he/ she will immediately ensure that the password is changed.
• Employees will respect the confidentiality of any reports and handle, store and dispose of these reports when necessary.
• Employees will not install or operate any non-licensed software on any CC computer.
• Employees understand it is against CC policy to electronically communicate student information to others outside of the CC/ school network.
• Employees are responsible for all e-mail messages generated from their e-mail accounts.
• Employees understand that the use of e-mail is for business purposes, however limited personal use is acceptable.
• Employees understand that the e-mail administrator may monitor CC e-mail if non-compliance with the electronic messaging policies is suspected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Creative Response to Conflict

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 5/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Responses to Conflict (CRC) will provide services through the community schools program. CRC will provide workshops in conflict resolution, restorative practice, problem solving, and mediation and training for students, staff and parents. PII is needed to track attendance and communicate programmatic information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All data will be kept in a secure location with limited access to employees with a legitimate need. Physical files will be kept in a locked office/cabinet.
• All documents will be reviewed at the end of the day to ensure that nothing is missing or has been tampered with.
• CRC will keep the least amount of data needed for the functioning of the program.
• All communications will be handled through DOE managed channels.
• All staff will be trained in security best practices to ensure that data is always handled appropriately.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “No data is being stored electronically by CRC.”

The Crenulated Company

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Crenulated Company Ltd will provide Community School services to the DOE School Community at Claremont International High School. Services will include mental health advisement, community events, legal support, etc. The Crenulated Company Ltd. needs to access PII so that we can communicate and provide services to our students and their families and accurately track our work and report on student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce as a cloud service provider.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Crenulated Co. Ltd. will use industry standard data encryption technology to ensure PII will be protected. We will use all reasonable, appropriate, practical and effective security measures to protect important processes and assets in order to achieve its security objectives of confidentiality, integrity, and availability of information. In order to ensure PII will be protected, New Settlement shall limit information system access to authorized users and encrypt student data in our password protected Salesforce data system. Additional safeguards include but are not limited to:

• Use of a firewall to protect access to our system
• Data Encryption
• Regular security audits
• Regular updates to our operating and security systems
• Use of a mobile device management system

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Curriculum Associates (for i-Ready)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• i-Ready Assessment: Designed to give a full picture of student performance and growth in Reading and Mathematics by giving deep insights into student needs to connect instructional resources to classroom action.
• i-Ready Personalized Instruction delivers powerful online lessons that motivate students on their path to proficiency and growth. Driven by insights from the i-Ready Diagnostic, i-Ready’s lessons for Grades K–8 provide tailored instruction that meets students where they are in their learning journey and encourages them as they develop new skills.
• Toolbox: A flexible digital collection that gives teachers the tools they need to implement whole class, small group, and individualized instruction that meets the needs of all learners

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Access to production servers is limited to a small, identified group of operations engineers who are trained specifically for those responsibilities.
• The servers are configured to conduct daily updates for any security patches that are released and applicable.
• The servers have anti-virus protection, intrusion detection, configuration control, monitoring/alerting, and automated backups.
• Contractor conducts regular vulnerability testing.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Currier, McCabe and Associates (also called CMA Consulting Services)

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CMA proposes to implement a custom software solution to modernize and streamline disparate and dated legacy systems utilized by the Office of Pupil Transportation to support its critical mission of safely and effectively transporting 150,000 student riders annually. This new system will improve scheduling, communication, specific requests from parents, necessary passenger accommodations and better provide for the current and emerging needs of the diverse population it serves.

To achieve this objective, CMA will require access to student PII data to ensure the unique identification of individual students. Specifically, this information is needed in order to properly identify students – as simple as use of first and last names are often not enough. Where this is the case, access to and use of parent names, address and other factors is necessary. It is key to uniquely identify each student in order to provide the best alternatives and service needed for their safe and proper transportation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CMA will encrypt PII in transit and at rest. Data will be stored in a physically secured Data Center with environmental controls and backup power. Data will be backed up to secure disaster recovery site in Forest Hills, NY. IT staff’s access will be role based and the least privilege needed to perform their tasks will be assigned to them. IT staff receive training on security and privacy awareness. HR conducts background checks of IT staff prior to employment. The application environment is monitored to ensure the system is available as required, access to the data is controlled and restricted by user need to know. Networks are secured and monitored for inappropriate activity.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Custom Computer Specialists, LLC and Infinite Campus, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Custom Computer Specialists will provide implementation and support services for a product called Infinite Campus. Infinite Campus is a student information system used to track data related to students and student learning. This includes student demographics, schedules, attendance, grades, and other student related information. During the implementation and in supporting a school, employees from Custom Computer Specialists will have access or in some cases view data classified as PII.

Type of PII that the Entity will receive/access: Student PII, APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected Other: “Neither Custom Computer Specialists or Infinite Campus will share PII with subcontractors, outside persons, or third party entities. Custom Computer Specialists and Infinite Campus (two organizations) both have access to PII as a function of our relationship. Infinite Campus develops software and hosts the data. Custom Computer Specialists implements, supports, and provides the services for the software.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII and “allow NYC DOE to download a copy of the data before secure deletion, or a flat file can be provided at Entity’s then current price.” 

In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: “The parent, student, eligible students, teachers, or principals may seek copies of their PII, or challenge the accuracy of the PII by contacting their local education agency, which is responsible for the data.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution, and “If selected by an LEA, the data may be stored in an authorized cloud provider in the future.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please see https://www.infinitecampus.com/policies/ferpa-compliance-and-student-data-privacy-policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Cypress Hills Local Development Corporation (CHLDC)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The project that CHLDC conducts is identifying high school students from disadvantaged backgrounds with potential for education at the postsecondary level and encourage them to complete secondary school and undertake postsecondary education. This project is funded by the federal Department of Education via a five-year grant. CHLDC does not conduct any evaluation or research that is not required by any government funder. Instead, the exclusive purpose for receiving or accessing PII is in order to prepare aggregated and de-identified performance reports required by funders in order to share results on desired short-term outcomes of the program. On an annual basis to comply with stipulations of the grant, we report on the number of students served through an aggregated report of participant demographics (eg, age and race / ethnicity), secondary school persistence (eg, grade promotion from one school year to the next), secondary school graduation (eg, discharge data), and postsecondary enrollment of the participants. There is no individual PII shared with a funder.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CHLDC has created a “CHLDC Data Privacy and Security Plan” that states the steps taken to maintain appropriate administrative, technical and physical safeguards in accordance with industry best practices and applicable law to protect the security, confidentiality and integrity of Protected Information in our custody. It is a plan to adhere to BOE Information Security Requirements. Our administrative practice is to only request data from NYC DOE that is essential for meeting the reporting requirements of restrictive grants that provide the funding for services to students. The request is made only by the Division Program Director or higher. The information provided by NYC DOE will only be shared with CHLDC’s Director of Evaluation via encrypted email. CHLDC uses the Software as a Service (SaaS) relational database Efforts to Outcomes (ETO) licensed by Social Solutions Global (SSG). As per SSG, the ETO is “built to handle multiple partners, high volumes of programs, advanced security protocols, and multifaceted reporting and analytics initiatives.” One feature is it is compliant with HIPAA, FERPA, HUD, Fedramp and NIST. Each year, CHLDC asks authorized ETO users to sign a “Database Access and Confidentiality Agreement” as a pledge and nondisclosure agreement in their engagement with the data in the database. CHLDC never sells or releases any of our program data for any commercial purposes. None of the required program reports we submit to funders would include any itemized data nor would include any hint of PII. We destroy any files of PII data shared by NYC DOE once we have updated our records.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

D2L

Dare to Revitalize Education thru Arts & Mediation! (DREAM!)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Restorative Practices training for parents. Upon service delivery DREAM! Requires participants to fill out pre-training and post-training evaluation forms which include the borough they reside in, their ethnicity, sex, and age. This allows us to track whom we are serving and having the most impact with.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Hard copies stored in secured office and secure file cabinet.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. DREAM! has a process in place to help make sure that staff who have access to PII agree to comply with the law and help protect the information by 1) signing an agreement with data privacy and security requirements; and 2) keeping PII in designated physical locked cabinet and office area; not to be shared or copied, sold or released for any marketing, or other commercial purposes, or any purposes at all.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Only physical records will be stored.

DataClassroom

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DataClassroom is an online web application for teachers and students to work with scientific data, for example that produced in lab experiments during school work. The only PII DataClassroom needs is for authentication (so the users can log in) and is limited to that exposed by the LMS in use. (If individual user accounts are created, then a name and email address are required). Rostering information (class membership) can also optionally be imported from the LMS or typed in manually.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Information can be either securely destroyed or transferred as requested by the customer

when it becomes applicable.” In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. All data is stored encrypted on infrastructure maintained and held secure by our cloud storage provider, Amazon Web Services (AWS) in a location in the USA.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to the cloud infrastructure containing customer data and administrative access to the same information is limited to specific trusted employees of DataClassroom Inc. Access is revoked on termination, and all new employees must read and sign a declaration that they will abide by the company data security strategy, including non-disclosure of customer data. MFA authentication is mandatory. Employee hardware such as laptops must be fully updated with security patches and industry-standard anti-malware/firewall software. Access to the physical storage locations is protected by the cloud service provider AWS.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

David Kestenbaum (also called Color Keys)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our Learning Management System (LMS) software enables teachers to manage the assignment of educational content to students. Students get instant feedback, leading to formative assessment and providing the ability to correct their mistakes. Teachers are able to view rich analytical data to drive instruction and provide personalized support. Teachers are provided tools in the platform that enable them to individualize the students’ classroom experience and work at their own guided pace. The LMS application is used to manage 2 student-facing products:

• Thumbprint: The Thumbprint product provides modules for language learning, multiple choice, and other task types organized into assignments that are sent to students. Included in the product are thousands of premade tasks and assignments that teachers can leverage. Regarding PII –
  • Name: allows the teacher to know which student they are interacting with.
  • Email: used for password reset, account recovery, and other access related communications
  • Student ID: System ID used for integration between data and our application and school systems
• ColorKeys: Our music software enables students to learn the pedagogy of music playing while having an interactive and personalized experience along the way. Students have their own accounts, saving their materials from week to week. Students watch animated videos, play interactive games, engage in multiple choice quizzes, and practice and play songs. The program allows each student to move along at their own pace. Students come out learning how to play and understanding the fundamentals of music theory. Regarding PII –
  • Name: allows the teacher to know which student they are interacting with.
  • Email: used for password reset, account recovery, and other access related communications
  • Student ID: System ID used for integration between data and our application and school systems

Our Professional Development division provides general PD to teachers in an array of areas. We provide PD to teachers using our proprietary software (thumbprint) and train them as more updates are created. We also provide PD in teaching methodologies and strategies, including but not limited to Blended and Personalized Learning, stressing diversity, equity, and inclusion in all our offerings.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS RDS.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The product features an authorization and role-based permissioning system that carefully limits a user’s access to PII. For example, a teacher may see PII for their students, but not students in the same school that they do not have a teaching relationship with. Within our working environment; All PII data is encrypted in motion and at rest, all credentials are encrypted and protected with 2FA where available, antivirus and logging are used to prevent and detect malicious activity and the network is secured by numerous policies and procedures to contain PII to the smallest portion of the network possible. All staff are vetted and trained to avoid accidental or malicious disclosure of PII and company policies and software are designed to prevent such disclosures as well.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Davis Publications

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Davis Digital is a cloud-based platform that provides access to our rich, meaningful instructional materials, lessons, and teaching resources. The Davis Digital platform allows students and teachers remote or in-class access to eBooks, fine art images, videos, and Portfolios from any computer or tablet with an Internet connection. The platform allows the option of working from home, the classroom, a computer lab, or any combination. With added features and flexibility, our comprehensive platform is designed specifically for K-12. In addition to the K-12 eBooks for students and teachers, the Davis Digital platform provides full access to thousands of fine art images from around the world. You’ll also enjoy tools for lesson planning and delivery, and online portfolios to showcase student work.

PII is used to create user accounts for students and teachers in Visual Art. PII is also used for troubleshooting and debugging purposes when responding to user support requests.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• SSO/Oauth2 integration with the Davis Digital Platform.
• Stored user data encrypted at rest with AWS KMS keys, including backups, read-replicas and snapshots.
• SSL/TLS encryption in transit between client and DBN instances.
• Database endpoints are NOT publicly accessible. Security and firewall rules to allow connections only from within the internal VPC.
• Master credentials stored securely in password manager vault requiring 2FA authentication.
• Access to production infrastructure is privileged, and only accessible from within the internal network.
• As an additional precaution, all sensitive data within the system is salt hashed.
• AWS maintains all virtual and physical server that contain PII.
• Davis employees have been trained annually in working with PII, signed confidentiality agreements, and have passed criminal background checks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Delightex GmbH (for CoSpaces Edu)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Delightex GmbH is a software company that has developed the platform CoSpaces Edu for use in education by stundets and teachers. Adaptable to any age or subject, CoSpaces Edu lets students build their own 3D creations, animate them with code and explore them in captivating ways, including Virtual and Augmented Reality.

Working with CoSpaces Edu develops digital literacy and 21st Century learning skills such as collaboration and coding, which prepare kids for their future while empowering them to become creators. The platform can only be used with an account. PII is used to create these user accounts and to track and store student content within their accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. How we keep your students’ data safe:

• We use SSL security for safe transmission of your data and AES-256-GCM for data at rest.
• Passwords are salted and hashed using PBKDF2.
• We do routine security audits and monitoring to ensure security and system integrity.
• User data is stored and backed up in geographically distributed servers operated by industry leading partners. Data will be stored according to the user’s respective location on servers located either in Europe, the United States or Asia Pacific.
• Access to personally identifiable information is restricted to specific employees only.
• All employees undergo a background check and sign a non-disclosure agreement before beginning their employment with us.
• Employees lose access to all company and product systems and data when terminated.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DeltaMath Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/26/2022 – 6/30/2025 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Access to and use of deltamath.com, an online platform for the teaching and learning of mathematics.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is housed on AWS servers in Ohio, USA and is protected both physically and via data encryption. Data is encrypted both in transit and at rest. Data is only accessed in the case of a legitimate educational purpose and, if so, from registered IP addresses. All employees with access to data undergo criminal background checks and are trained, both on hire and annually thereafter, in the requirements of federal, state, and local privacy laws.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Diarmuid (for Great Leaps Digital)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Diarmuid Inc. requires PII in order to maintain accurate and relevant student performance data in the Great Leaps Digital program. This is necessary for progress reports provided by instructors and administrative oversight to help ensure the fidelity of implementation. This data is also used to determine the effectiveness of the intervention with NYC DOE students. Diarmuid Inc will be providing the Great Leaps Digital platform that contains subscription based products in reading and basic math facts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., DigitalOcean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Diarmuid, will neither retain nor incorporate any of the Confidential Information into any database or any medium other than that which may be required for it to provide the Services and agrees to maintain appropriate administrative, technical, and physical safeguards in accordance with industry best practices and applicable law to protect the security, confidentiality, and integrity of information that can be used to identify or link to current, future and former users in its custody. Diarmuid safeguards and practices align with the NIST Cybersecurity Framework, and include sufficient (A) data privacy protections, including processes to ensure that Personally Identifiable Information, such as student names, birthdates, demographic information and educational performance is not included in public reports or other public documents; and (B) data security protections, including data systems monitoring, encryption of data in motion and at rest, an incident response plan, limitations on access to sensitive and identifiable information that may link to current, future and former users, safeguards to ensure that said information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of the aforementioned sensitive information when no longer needed.

Diarmuid uses encryption technology to protect this information while in motion or in its custody from unauthorized. disclosure and conduct digital and physical periodic risk assessments and to remediate any identified security and privacy vulnerabilities in a timely manner. Additionally, Diarmuid incorporates various technical safeguards to protect the needed student information and data that we collect. The database servers are behind a firewall so that only their other servers can connect to the database. The program is built to ensure that any user account logged into the system is only able to access data about themselves and any students they are teaching, and each student is isolated from each other throughout our system. Diarmuid also limits access to customer data from employees and uses an internal tool to limit the interactions with customer data for authorized internal users. When generating any internal reports, Diarmuid minimizes the amount of sensitive information to just student performance and runs any necessary information that might identify a user through an anonymizing function so it cannot be linked back to the original student. Diarmuid also uses HTTPS with TLS 1.2 or later on any connections that customers make to the server to make sure the data transmitted back and forth is private. In case of becoming aware of any breaches in our system, Diarmuid will follow the steps outlined by their Data Breach Response Plan, including containing the breach, remediating the access, disclosing to affected users as appropriate, and reviewing and enhancing security measures to prevent further breaches.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Digital Age Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/3/2022 – 7/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Digital Age Learning Inc is the lead CBO partnering with multiple Bronx schools to provide after school services to students. The program is funded by NYSED OCFS and NYSED 21st CCLC grants. Digital Age Learning Inc. provides arts and technology integrated residencies to students as well as after school support for academic intervention and enrichment, athletics activities and STEAM based activities. The goals of the program include attendance improvement and increases in family engagement. Digital Age Learning Inc. requires PII data to verify student participation in its afterschool activities for the purpose of reporting on student attendance, which is required for invoicing and payment for services provided aligned with our NYSDOE contract. Digital Age Learning has access to PII data when they are working in schools. Digital Age Learning does not keep any PII on paper records.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Digital Age Learning will access data using the DOE systems only.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Digital Age Learning will only use the contracted DOE youth services.net system and EZ reports for the data entry of all student information required for student enrollment and attendance. All access to student data will be secured at the schools and only accessible by NYCDOE personnel with appropriate login credentials to NYCDOE systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Dignity of Children (for iDEAS Empowered by Youth)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. iDEAS Empowered by Youth incorporates Project Based Learning (PBL) which is used as a teaching method that is inquiry-based that engages learners in knowledge construction by having them accomplish meaningful learning projects and develop real-world products. Students learn through the creation of a tangible product where students are focused on a shared goal and are provided with some end product specifications from the instructor. Researchers have found that PBL has been shown to support the development of 21st-century skills (Musa Mufti, & Latiff, 2012). iDEAS Empowered by Youth incorporate PBL in the curriculum where youth have to create projects ranging from documentaries, digital art portfolios, business proposals, and public service announcements. The PII will only be accessed for attendance purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “PII will only be accessed for attendance purposes and used in communications with DOE and/or staff including emails.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To ensure the protection of Personally Identifiable Information (PII) and mitigate data privacy and security risks, Dignity of Children has implemented a comprehensive set of administrative, technical, and physical safeguards:

• Administrative Safeguards:
  • Clear Policies and Procedures: Dignity of Children has established detailed policies and procedures governing the handling, access, and use of PII. These policies are regularly reviewed and updated to reflect the latest best practices and regulatory requirements.
  • Access Controls: Access to PII is restricted to authorized personnel only, with role based access controls implemented to limit access to sensitive information based on job responsibilities. All data will be stored and retained by school and no data will be taken outside school premises.
  • Training and Awareness: All employees undergo regular training on data privacy and security practices. This includes training on recognizing and responding to security threats, as well as understanding their roles and responsibilities in protecting PII.
  • Incident Response Plan: Dignity of Children has developed a robust incident response plan to effectively address and mitigate data privacy and security incidents. This plan includes procedures for reporting incidents, conducting investigations, and implementing corrective actions.
• Technical Safeguards:
  • Encryption: PII is encrypted both in transit and at rest to prevent unauthorized access or interception of sensitive data.
  • Firewalls and Intrusion Detection Systems: Dignity of Children utilizes firewalls and intrusion detection systems to monitor network traffic and detect and block unauthorized access attempts.
  • Secure Authentication: Strong authentication mechanisms, such as multi-factor authentication, are used to ensure that only authorized users can access PII.
  • Regular Vulnerability Assessments: Regular vulnerability assessments and penetration testing are conducted to identify and address potential security vulnerabilities in systems and applications.
• Physical Safeguards:
  • Access Control Measures: Physical access to facilities where PII is stored or processed is restricted to authorized personnel only. This includes the use of access badges, biometric authentication, and surveillance systems.
  • Secure Storage: PII is stored in locked cabinets or secure server rooms to prevent unauthorized access.
  • Secure Disposal: When PII is no longer needed, it is securely disposed of using methods such as shredding or degaussing to ensure that sensitive information cannot be reconstructed or retrieved. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Directions for Our Youth

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning to work services for students, which include counseling, internship placements, and college counseling.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor wrote “LTW staff only share student data and outcomes on the required dashboard with the DOE Office of Student Pathways. As the funder, the Office of Student Pathways requires monthly student data for each program be entered on Google sheets.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “LTW staff only share student data and outcomes on the required dashboard with the DOE Office of Student Pathways. As the funder, the Office of Student Pathways requires monthly student data for each program be entered on Google sheets.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Directions for Our Youth will only have access to student information for internships and to assist with financial aid applications for college as provided by the school.  The data will be used for these purposes only and is not shared with other staff or programs. The data is recoded using the required dashboard from the DOE Office of Student Pathways, as required by the funder.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Discalced (also called Mark Morris Dance Group)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/1/2023 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Discalced, Inc., doing business as the Mark Morris Dance Group (MMDG), will conduct program evaluations throughout and at the conclusion of each in-residency and partnership. The purpose is to be able to effectively measure the overall success and impact of the program through student learning, partner expectations, and teaching team effectiveness. Findings will support efforts to improve the programs and the long-term impact of sustained engagement in the arts.

Type of PII that the Entity will receive/access: Student PII, and “we ask the school principal and/or contact to complete an evaluation as part of our triangulated approach to measuring success.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. Vendor also states, “All PII related to program evaluations will be destroyed at the end of each residency once the data is aggregated for reporting purposes. However, the findings will be kept for archival purposes at MMDG.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The following demonstrates administrative, operational and technical safeguards in place at MMDG through the following:

• Contract with HomeField IT (HIT) as its Managed Service Provider
• Microsoft 365 Business Premium Services which includes MS Defender for security
• MMDG utilizes a monitored suspicious email program managed by HIT
• HIT executes a secure daily data backup procedure
• All staff are required to complete monthly Data Security Training through Ninjio
• MMDG utilizes 1Password to maintain the highest level of password management.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Discovery Education 

District Public

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide professional development, data analysis, and tools to help school leaders and educators use data to improve student outcomes, communicate with administrators and families, and save time.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. District Public takes great care to ensure the security of PII. Data is encrypted while in motion and at rest. Only data that is required to conduct analyses is collected. Data is never disclosed to anyone outside the school community for whose benefit the analysis is conducted, and access to data and analysis is only granted by District Public to school leadership. District public employees and contractors are trained in laws governing data security and privacy, as well as on best practices in cyber security. District Public employees such strategies as two-factor authentication, encryption, web and email filtering, ongoing cyber security and awareness training, and phishing simulations to ensure it maintains a secure environment for working with PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Don Johnston 

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Snap & Read Universal is a Text Reader to read aloud materials as well as support students in comprehending materials. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
• Co:Writer Universal is a Word Prediction, Speech to Text and Translation tool to support struggling writers. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
• uPAR (Universal Protocol for Accommodations in Reading) is a data tool to help educators match students to reading accommodations. uPar does not require use of personally identifiable student information. Personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution. The only data collected is that which is valuable for educational purposes.
• Word Bank Universal extracts words, places, people, facts and dates into a meaningful format. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
• Quizbot is a teacher-only tool. Build quizzes automatically from any text with one click. Automatic scoring through Google Forms shows instantly what is being comprehended. No Student Accounts exist (and no data is collected).
• Readtopia is a special education curriculum designed for teachers who work with late elementary, middle, and high school students with autism and other complex needs. It serves as an integrated comprehensive reading curriculum across several domains of study including ELA, Math, Social Studies, Life Skills, and Science. Students do not login and no student data is collected.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Other. Vendor stated “The district has access to student data at all times and is responsible to download data prior to expiration of the Agreement. After that, we will automatically destroy all data in 30 days and 65 days from all backups.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards: We do annual training for all staff and assign access based on roles, limiting the number of people who have access to the data.

Physical and Technological Safeguards:

• All data is kept on AWS (Amazon Web Services) servers.
• AWS has the most stringent physical safeguards that has earned it ISO 27001 compliance, a Department of Defense Impact Level 4 Provisional Authorization, over 400 National Institute of Standards and Technology security controls, and a PCI DSS Level 1 certification among other security standards.
• All data is located in geographically discrete locations within the United States.
• Data at Rest - All data at rest is encrypted with AES-256 encryption algorithm.
• Data in Transit - All data being transmitted is protected with Secure Socket Layer and password hashing.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Donner Photographic

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Photograph students at schools/dance studios and sell photos to their parent/guardian. We need PII to assign names to the students’ pictures and assign teachers to the class photos.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII data is stored in SQL database. No employee has a logon to the database directly. All access is done through custom applications. All images of students that we take are named by a number only and that number is assigned by the database. There is no direct file system style way of associating an image with PII. We have safeguards in place such as firewalls, encryption and requires passwords that protect our student’s personal information. We have a PF Sense firewall providing reverse proxy SSL Authentication to web servers lockdown applicable port. We never obtain address information unless the parent/student personally goes to our website. Also, we ensure the appropriate in-person training of our employees pertaining to the federal and state laws when it comes to the privacy and confidentiality of our clients including NY Laws and FERPA policies prior to accessing PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Door – A Center of Alternatives

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Door - A Center of Alternatives, Inc. (The Door) implements the Community School model by providing academics, health and mental health services, social services, expanded learning opportunities, positive youth development, and family and community partnership at our co-located site in Lower Manhattan. We will collect data to track services provided under the contract. The data will be securely stored in The Door’s Salesforce database.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Door tracks student data in Salesforce, a leading cloud-based CRM system. In addition to the standard security safeguards provided by Salesforce such as role-based security, enforcing strong passwords and multifactor authentication, auditable logs, protections against denial-of-service attacks, intrusion detection, anti-malware scanning and other robust security features, The Door uses Salesforce Shield, an enhanced security package that also allows for data encryption at rest and complex event monitoring. The Door is committed to training staff and external consultants on our data security policies and procedures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DreamBox Learning

The exclusive purposes for which Protected Information will be used: To provide hosted services and adaptive math software to the district.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: DreamBox does not utilize subcontracts in its delivery of software or services; however, DreamBox will ensure that all authorized persons are aware of the confidential nature of the information being share and have been trained on data protect and security best practices.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Personally Identifiable Student Information (PISI) will be removed from the DreamBox system and returned to the district at the district’s request.

[NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be store in the US. DreamBox is ISO27001 certified and meets industry best practices for data security including encrypted at rest and in transit.

How the data will be encrypted (described in such a manner as to protect data security): At rest and in transit.

The DreamYard Project

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 71/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The work in question has our teaching artists working directly with students to supply arts education during school hours and after school as well. The DreamYard teachers must keep an active roster of students to comply with attendance requirements for all contracts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. If PII is recorded on paper for roster purposes on the day of class, the information is shredded and securely disposed of. Before the information is shredded, it is recorded digitally to our servers, which only DreamYard administrators have access to via password and 2-step verification. The DreamYard Project does not grant access of these servers to outside vendors for any reason. DreamYard administrators must work on password protected machines and only access this information on DreamYard supplied machines, and these machines are scrubbed of data if employee’s contract is terminated. The former admin’s access is subsequently revoked if they no longer work at DreamYard.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DroneBlocks

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. “Services” means the DroneBlocks STEM drone curriculum, which includes over 150 cloud-based lessons for teachers to choose from, and a suite of software to enable educators to teach students about computer science using drones. It includes all services offered or provided by DroneBlocks, including access to DroneBlocks Technology, as well as access to Lesson Plans, Training Materials, Webinars, and Training. DroneBlocks Services include ongoing upgrading of the product and related technology, communications with educators in support of their use of the Services, as well as the benefits of related research and development, improvements, and supplements supporting the DroneBlocks offerings, the Website, and/or the App.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Entity selected “Other: Working with School, securely delete and/or destroy PII.” In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Firebase.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. DroneBlocks conducts periodic thorough external assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic, paper, or other records containing PII; and performs ongoing system monitoring and testing and ongoing security oversight by designated members of senior management.

All submitted PII is collected and stored by Firebase and Google Cloud Platform in reliance upon Google’s stringent security regimen. HTTPS via TLS is required to connect to all web servers from the public network. DroneBlocks maintains processes for the continued encryption of customer's PII through its secure deletion/destruction when requested in writing by the customer when it is no longer needed for the purpose for which it was collected; as well as procedures that protect PII maintained from improper alteration or destruction, including mechanisms to authenticate records and corroborate that they have not been altered or destroyed in an unauthorized manner.

DroneBlocks performs appropriate pre-hire employee background checks and screening; obtains agreement as to confidentiality, nondisclosure and authorized use of PII; provides training to support awareness and policy compliance; and maintains procedures to determine that the access of employees to PII is appropriate and meets a legitimate need and is terminated when appropriate. DroneBlocks also requires under written contracts that third party partners and subcontractors maintain Data Security and Privacy policies and procedures no less stringent than those above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Dynamic Forms (also called Mark DeGarmo Dance)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 05/15/2021 – 05/14/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We work in NYC DOE public schools with a research-based and evidence-based educational program to provide dance education instruction required by New York State Education Department, but that the NYC DOE is unable to provide its students and schools. The purposes of having the students’ names is to increase instructional effectiveness, as educational research demonstrates is most effective. The purpose of having their legal guardians’ names & addresses is to complete our consent & release forms.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Dynamic Forms, Inc. AKA Mark DeGarmo Dance utilizes the following administrative, technical and/or physical safeguards to ensure PII: Access Controls; Encryption; Data Access Restrictions; Access Rights; Security Awareness and Privacy Training; Third Party Management; Physical Security; Information Security Incident Management; Incident Identification; Incident Severity Classification; Incident Response and Containment; Root Cause Analysis and Lessons Learned; Privacy; System and Information Integrity; Data Management; Collection; Use and Retention; Disclosure; Retention and Disposal; and Compliance with Legal and Regulatory Requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Early Learning Solutions (for Math Shelf)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Math Shelf is a tablet math app for PreK, Kindergarten, and first grade students. We access PII for students to learn math content and skills at their individualized pace and level, and track individual student usage, learning, and achievement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. That Processor has implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect, and to protect against unauthorized access to data. These include:

• SSO integration with NYC Schools DOE via CLEVER;
• Network connections to Math Shelf production environment utilize Transport Layer Security (TLS 1.3/1.2) or Secure Shell (SSH);
• All data stored in the Processors production environment is encrypted at rest and transit;
• All data stored on the Processors owned laptops is encrypted at rest. We employ automated log collection and audit trails for production systems.
• Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
• System passwords and access keys are stored in a privileged location accessible only to the Processors security administrators, and all credentials are changed from factory default settings.
• Production and development systems receive regular maintenance to apply security patches and updated software.
• Employee Training: The Processor will ensure that all employees handling NYC DOE data are trained on data security and privacy best practices, including specific requirements related to FERPA, COPPA, and NYC DOE's privacy policies. Regular refresher training sessions will be conducted to keep employees informed of new threats and regulatory updates.
• Administrators who are responsible for maintaining equipment that houses protected data are subject to pre-employment background checks. In addition, within the company’s internally published security policies, there are processes for:
  • the timely revocation and granting of access rights for all user roles in our product;
  • accountability, authentication, and authorization methods to restrict access to utility programs that are capable of overriding our product's system and application controls;
  • restricting access users to a single application session that times out after 60 minutes of inactivity;
  • role-based controls to restrict access to our product's source code, protected data, scripts, and production servers and databases.
  • Multi-Factor Authentication (MFA) to access data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EarlyBird Education

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EarlyBird works with educators to determine which children are at risk for reading struggles, and provides a comprehensive assessment to determine the child’s areas of strengths and weaknesses, as well as a series of Next Steps resources to support educators as they build strong readers. The child’s PII (ex: name, birthdate, and classroom) enables us to work with the school districts and educators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. EarlyBird uses AWS firewalls and data protection tools and provides periodic security training to employees with have access to the system and/or data. When data is accessed through a web browser, EarlyBird employs industry standard measures to protect data from unauthorized access including, but not limited to, server authentication, data encryption, firewalls and SSL.

EarlyBird operates a secure platform and complies with FERPA regulations as described in FERPA policy. The underlying infrastructure resides entirely in Amazon Web Services and utilizes Virtual Private Clouds (VPCs) for all environments. All public facing ports are exposed only through load balancing solutions. All communication is encrypted using SSL through the load balancer and is routed to a production quality web server which resides on each server. The traffic is then proxied to the application port which is listening privately on localhost. All data that is stored on the EarlyBird platform is encrypted at rest and in transit, and no production or student data is allowed outside of the production environment. All servers are container based which ensures conformity to EarlyBird’s rigid security standards. Private keys are regularly cycled and are only distributed as needed and to a limited number of employees.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

East Side House

 Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ESH’s Learning to Work program will provide students with academic support services to improve student retention and expose students to career development through work readiness training, paid internships, and job placement. In collaboration with NYC DOE, ESH will provide services ranging from student recruitment and outreach, new student orientation, attendance outreach to referring non-eligible students to other programs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In order to protect personally identifiable information and mitigate data privacy and security risks, Processor will:.

• Follow policies and procedures compliance with 1) relevant state, federal, and local data security and privacy requirements, including Education Law 2-d (“Section 2-d”), 2) this Addendum, and 3) the NYC DOE’s data security and privacy policy and the Family Education Rights and Privacy Act (“FERPA”);
• Implement commercially reasonable administrative, technical, operations, and physical safeguards and practices to protect the security of personally identifiable information in accordance with relevant law;
  • All student data is stored on Salesforce cloud SASS Platform. Salesforce is an external vendor with a dedicated security team. All data exists on Salesforce Cloud Tenant. No student data is stored on East Side House on premise servers.
  • Only authorized teachers and approved East Side House internal staff are granted access to Salesforce Portal. Salesforce logins are enforced with multi-factor authentication.
• Follow policies compliant with NYC DOE’s Parents’ Bill of Rights and Parents’ Bill of Rights Supplemental Information.
• Annually train its officers Annually train its officers and employees who have access to personally identifiable information on relevant federal and state laws governing confidentiality of Personally Identifiable Information; and
• In the event any subcontractors are engaged in relation to this Agreement, manage relationships with sub-contractors to contract with sub-contractors to protect the security of personally identifiable information in accordance with relevant law.
• Implement and follow an incident response plan and disaster recovery process that are compliant with relevant state, federal and local data security incident notification requirements.

To protect personally identifiable information that Processor receives, Processor will follow policies that include the following administrative, operational, and technical safeguards:

• Processor will identify reasonably foreseeable internal and external risks relevant to its administrative, technical, operational, and physical safeguards;
• Processor will assess the sufficiency of safeguards in place to address the identified risks;
• Processor will adjust its security program in light of business changes or new circumstances;
• Processor will regularly test and monitor the effectiveness of key controls, systems, and procedures; and
• Processor will protect against the unauthorized access to or use of Personally Identifiable Information.
• Processor’s sites are protected by firewalls with active threat protections including web content filtering / anti-malware scanning.
• Processor has all endpoint and servers protected by Crowdstrike EDR; systems are monitored by Crowdstrike 24/7 for proactive threats.
• Processor on premise server rooms are locked and accessed only by authorized staff. Server rooms are monitored by closed circuit television cameras.
• Processor Facilities are monitored by a 24 hours monitoring station for burglary alarms.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

EBSCO Industries (also called EBSCO Information Services)

The exclusive purposes for which Protected Information will be used: EBSCO uses the Personal Information we collect for the limited purposes of processing your transactions, establishing and/or verifying a person’s or account holder’s identity, customer service, improving and customizing our Services and their content, authorization, content processing, content classification, and providing you with information concerning our Services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In situations where we share Personal Information with Service Providers, we ensure access is granted to the Service Providers only upon the condition that the Personal Information is kept confidential and is used only for carrying out the services these Service Providers are performing for EBSCO Information Services. As part of making that determination whether we will share Personal Information with Service Providers, we will obtain assurances that they will appropriately protect and maintain the confidentiality of Personal Information consistent with our Privacy Policy and as required by applicable law. For additional information, please see EBSCO's Privacy Policy: https://www.ebsco.com/company/privacy-policy#prod_how-do-we-secure-info

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Contract duration - 4/1/2021 to 3/31/28. EBSCO will only retain information for as long as the account is active, or as needed to provide you Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Upon contract termination, data will be deleted or pseudonymized. If this is not possible (e.g., because the information has been stored in backup archives), then EBSCO will securely store the information and isolate it from any further processing until deletion is possible).

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within EBSCO's data centers located in the greater Boston, MA area. EBSCO maintains an extensive information security policy to protect data which focuses on web application security and includes firewall and router security, data classification and control, vulnerability identification, authentication, etc.

EBSCO also keeps audit trails to maintain records of system activity both by system and application processes and by user activity, which, in conjunction with appropriate tools and procedures, acts as a technical control facilitating the detection of security violations, performance issues, etc.

How the data will be encrypted (described in such a manner as to protect data security): All sensitive data is securely encrypted in the database with restricted access. Data is also encrypted in transit with SS/TLS1.2 2048-bit encryption.

EDCLUB

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. edclub is a web-based and fully customizable educational platform. Students can learn in class, at home, or wherever an internet connection can be found. edclub’s suite of products currently available includes a web-based tying tutor to teach keyboarding skills called TypingClub, Vocabulary & Spelling to teach English language arts, Digital Citizenship and Social Emotional Learning.

edclub collects and processes PII in order to create accounts for staff and students, provide access to the services, and communicate with account holders. PII is also required to save and track students‘ progress on our Services and provide reports school staff.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law. 

The entity also stated “de-identified data may be retained for product improvement purposes only.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The data will be stored in the United States of America. edclub stores and processes confidential student records and information in accordance with commercial best practices, including implementing appropriate administrative, physical and technical safeguards. edclub’s safeguards includes keeping the collection of the information about the users/students to a bare minimum. The information that is transmitted over the web is securely transmitted through encrypted connection (HTTPS). Information at rest is secured in encrypted storage. A team of information security professionals constantly monitor edclub’s systems utilizing cutting edge technology.

All staff must use two factor authentication to access their accounts. Access to any student data is limited to staff who require access.

Administrative safeguards:

• Restricting access to only a few authorized individuals who have a valid reason;
• Mandating non-disclosure agreements for all personnel granted access;
• Layered permission levels for accessing logs of cloud-based services;
• Internal Audits and Compliance Monitoring;
• Incident Reporting and Response Procedures;
• Contingency Planning;
• Risk Assessment and Management.

  Operational safeguards:

Physical Access Controls;

• Data Backup and Recovery;
• Patch Management;
• Antivirus and Malware Protection;
• Network Security Controls;
• User Authentication and Authorization;
• Incident Response Plan;
• Monitoring and Logging;
• User Training.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Edgenuity Inc. (for LearnZillion)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We use PII to help us to diagnose technical problems, administer the Site and improve the quality and types of services that we deliver. We may also collect, track and analyze information in aggregate form that does not personally identify users.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We strive to protect the confidentiality, security and integrity of the Personal Information we collect from children and adults. We have put in place physical, electronic and administrative procedures designed to safeguard and to help prevent unauthorized access to and maintain the security of personally identifiable information collected through this Site.

Primary accounts and student accounts are protected by passwords. Please keep these passwords secret to prevent unauthorized access to these accounts. If you think someone has gained unauthorized access to an account, please change your password and contact us immediately.

We take customary and reasonable measures designed to protect the confidentiality, security and integrity of Personal Information collected on our Sites, both during transmission and once we receive it. This includes the use of encryption, firewalls and other security technologies to prevent access to the data from unauthorized parties. All connections between users and our Site are secured via encryption communication technology (SSL/TLS). All passwords are salted and hashed using the practices recommended by NIST (National Institute of Standards and Technology). We use highly rated application hosting providers who agree to perform frequent diagnostics, operating system updates, and network security monitoring. Our engineering team is committed to creating and maintaining systems to protect Personal Information.

Only employees and contractors who reasonably need to access user information in order to perform their job (for example, customer service) are granted access to student information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Edia Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edia is a math learning platform providing a large standards aligned content library, AI -coached practice, automatic grading, and detailed proficiency data for individual students. Edia serves 4th-12th grade and may be used in the classroom and for homework, assessments, and interventions.

Edia has accounts for teachers and students. Teachers and students are associated together in classes. PII is required when making a student's account, in particular name and email. These are used to provide assignments and track student progress. These may also be accessed in the course of providing support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Edia staff interact with teachers and students to provide support and training, but not in the normal operation of the application.

Edia receives and stores data purely electronically. These data are encrypted in transit and at rest.

Access to data is restricted to senior staff, and limited access may be provided to support staff on a need to know basis. All accounts are secured with strong passwords and two-factor authentication. Staff operates under our data privacy and security policy. This policy mandates that user data may only be accessed for legitimate business needs and only through secure and approved methods, data may not be retained or shared with unauthorized entities, and that staff must undergo regular training on data privacy and security policies and practices.

Privacy and security training entails sessions reviewing our security policies, use of the tools used to access user data, review of the relevant legal requirements, and how all these apply to employees' tasks. Completion of the training session is required before access privileges are granted. After that, a training session must be completed once annually.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Edlio LLC

Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: K-12 school website services, design, hosting, support; Content Management System (CMS) software; Related optional services, including payment processing and communication services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Edlio, LLC. agrees to ensure that subcontractors or other authorized person or entities that we will share Protected Information with will abide by data protection and security requirements required by our agreement with the NYC DOE. Edlio, LLC. have updated our internal contracts and technical requirements related to authorizing 3^rd party entities and subcontractors to ensure we are in compliance with this NYC DOE agreement. 

When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: This agreement relates to the services for Thomas Warren Field Elementary-P.S. 299k specifically which is a 3 year contract (contract originally signed and received 2/23/2021 and expected to run until June 30 2024). Please note that Edlio, LLC. does business with many other schools with NYC DOE on various contracts. If possible, we would like an ongoing agreement for all NYC DOE, but if that is not possible, we would accept the 3 year term above for Thomas Warren Field Elementary-P.S. 299k only.

Edlio, LLC. agrees to destroy such Protected Information Data, making it unusable and unrecoverable.

If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Edlio, LLC. agrees that all Protected Information will be stored in the US and that security protections are taken to ensure such data will be protected.

Edlio, LLC. agrees to and already limits the use and store of sensitive data. This includes but is not limited to the following internal Edlio, LLC. policy and/or procedure: all sensitive data must be encrypted while at rest and during transit across public networks to protect it from internal and external threats and provides a second line of defense in high threat areas. The requirements for data encryption are based on its classification, sensitivity, location, and media where it is stored.

If sensitive information is transmitted over public computer networks such as the Internet, this transmission must take place with encryption facilities. All portable and remote systems storing sensitive information must also employ hard disk encryption systems. In all but a few rare instances, if information is to be protected, then the user must take specific action to enable encryption facilities. Users must be careful about the inclusion of sensitive information in electronic mail messages that are not protected by encryption. It is the policy of Edlio, LLC. that all sensitive data will be encrypted while at rest and during transit across public networks to protect it from internal and external threats. The requirements for data encryption will be based on the data sensitivity, the location of the data, and the type of storage media wherein the data resides.

How the data will be encrypted (described in such a manner as to protect data security): Edlio, LLC. agrees to and already encrypts confidential information, including DOE data. This includes but is not limited to the following internal Edlio, LLC. policy and/or procedure: data in transit using algorithms and key lengths consistent with the most recent NIST guidelines.

Further, all encryption processes and algorithms must be approved in advance by the Information Security Officer. Proven, standard algorithms such as DES, Blowfish, RSA, RC5, and IDA should be used as the basis for encryption technologies. The use of proprietary encryption algorithms is prohibited for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Edlio, LLC. Information Security Officer.

All general-purpose encryption processes running on Edlio, LLC. information systems must include key escrow functions. These special functions allow management to recover encrypted information should there be system errors, human errors, or other problems. Encryption systems must be designed such that no single person has full knowledge of any single encryption key.

Payment information, such as credit card numbers or bank checking account numbers, must be encrypted when computer-resident and also not in active use for authorized business purposes, when transmitted over a public network, and when held in storage on computer disk or tape.

Edlio, LLC. will only implement and accept trusted keys and certificates. The protocol in use must only support secure versions or configurations. Finally, the encryption strength must be appropriate for the encryption methodology in use.

System Configuration Standards (PCI 2.2)

• All systems and devices must be configured in accordance with their respective configuration standards.
• System configuration standards must be based upon industry recognized best practices such as those provided by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), Microsoft, or Center for Internet Security (CIS).
• System configuration standards must be reviewed at least annually and updated to reflect current industry best practices and newly-discovered vulnerabilities.
• Edlio, LLC. develops annually reviewed security configuration standards for systems in the Edlio, LLC. CDE that are hardened using industry-accepted standards. These configurations are documented, and used as system baselines. Relevant configuration changes are communicated to impacted teams. Procedures are implemented to monitor for compliance against the security configuration standards. Edlio, LLC. requires all CDE based servers to comply with CIS standards and are confirmed through NESSUS security scans prior to any new device deployment. This approach is used for servers and network devices when applicable to NESSUS scan capabilities.

Edmentum

Contract / Agreement Term: 2/1/2017 – 1/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edmentum provides quality online programs designed to make personalized learning an achievable reality in every classroom. To meet NYCDOE’s needs, we offer Courseware, Exact Path, Study Island, EdOptions Academy, and Calvert Learning, paired with Edmentum’s Professional Services.

• Courseware offers customizable digital curriculum for grades 6–12, including core, AP®, CTE, electives, world languages, and test preparation courses.
• Exact Path personalizes K–12 learning by combining adaptive diagnostic assessments with individualized learning paths in math and ELA.
• Study Island is a customizable K–12 practice and formative assessment solution that improves mastery and retention, and boosts student achievement in math, ELA, science, and social studies.
• EdOptions Academy is a fully accredited virtual academy that allows districts to enhance and expand their program offerings, attract and retain students, and provide flexible, individualized learning experiences.
• Calvert Learning provides engaging, project-based curriculum for K–5 learners in virtual or blended learning environments.

We collect the following PII provided by the Customer, such as the student’s name, name of school, grade level, and e-mail address. Please refer to our Customer Privacy Policy: https://www.edmentum.com/privacy/customer.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review). “Our programs are not Student Information or Accountability Information Systems. Edmentum does not store academic records other than performance scores of online activities. PII is at the user’s discretion. Administrators and teachers can choose to include non PII data for required fields such as Students: First and last name; Email (username); Grade level; Student Local ID (required); Teachers: First and last Name; Email; Teacher Local ID; Role.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. “NYCDOE retains ownership and control of all student data. Your data is available throughout the term of your contract. During this time, it can be downloaded and reports generated in a variety of formats, including CSV, Excel, and PDF. All data is securely wiped from decommissioned systems. Customer data at rest is encrypted, minimizing the risk of exploitation.

Furthermore, our programs are not Student Information or Accountability Information Systems. Edmentum does not store academic records other than performance scores of online activities. Since Edmentum is an online solution provider, there are no limitations to the size or duration of data retention. Customers may retain data within our system with a valid subscription.

Within a reasonable time period after termination or expiration of the contract, or as requested or directed by NYCDOE, Edmentum will return personally identifiable data and will securely destroy personally identifiable information in its possession.

Please see our Standard Service Purchase and Software License Terms at www.edmentum.com/resources/legal/standard-terms and our Customer Privacy Policy at www.edmentum.com/privacy/customer for specific information pertaining to this requirement.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Edmentum maintains a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of students’ personally identifiable information against risks—such as unauthorized access or use or unintended or inappropriate disclosure—through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information. We perform quarterly internal and external security scans. In addition, Edmentum periodically performs additional penetration testing and/or other relevant threat assessments and performs subsequent remediation efforts based on the findings of these assessments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EDPuzzle

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Edpuzzle instructional software (accessible at https://edpuzzle.com) that allows teachers to take, embed or upload, as applicable, video-content (e.g., videos publicly accessible at third-party video-hosting platforms, a screen recorded video, or an Edpuzzle original video) and turn it into an interactive video lesson by embedding questions and notes for understanding along the way. Teachers then receive great data analytics on student progress from the completed lesson.

Edpuzzle Pro provides unlimited access to Edpuzzle to individual users, or to all users in the school or school district based on the type of license purchased. This includes unlimited storage space, a collaborative channel, and priority customer support.

PII will be used by Edpuzzle to improve the Edpuzzle services and for the following limited purposes:

• to create the necessary accounts to use the service;
• to provide teachers with analytics on student progress;
• to send teachers email updates, if applicable;
• to help teachers connect with other teachers from the same school or district;
• to assess the quality of the service;
• to secure and safeguard personal information of other data subjects; and
• to comply with all applicable laws on the protection of personal information

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services and MongoDB Atlas.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Contractor shall implement and maintain reasonable and appropriate technical and organizational security measures to protect the PII with respect to data storage, privacy, from unauthorized access, alteration, disclosure, loss or destruction. Such measures include, but are not limited to:

• Pseudonymisation and encryption of PII (TLS v1.2 for all data in transit between clients and server and AES256-CBC (256-bit Advanced Encryption Standard in Cipher Block Chaining mode) for encrypting data at rest).
• Password protection.
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• Restore the availability and access to personal data in a timely manner in the event of a technical incident.
• Regularly test, assess and evaluate the effectiveness of technical and organizational measures ensuring the security of the processing.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Edsoma

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edsoma is an Artificial Intelligence (AI) software that assists little readers with the proper pronunciation of words when they get stuck while reading a book inside the app. Edsoma also provides a portal for the teachers to help them manage students learning journey, assign new books to read and collect reports about learning evolution.

PII is used to create user accounts and track student progress in their literacy journey. This information is used to monitor student progress and direct them to the correct follow-up courses or seek additional support if needed. Teachers are encouraged to communicate with parents about student progress, and PII is used to facilitate this communication. Without PII, we wouldn't be able to provide the personalized platform that we aim to deliver.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards

• Strict access controls are implemented, limiting access to PII only to authorized personnel with a legitimate need. Access permissions are regularly reviewed and adjusted accordingly.
• Access to PII is restricted on a need-to-know basis, enforced through role-based access controls.

Operational Safeguards

• Access controls are implemented using multi-factor authentication and strong password policies to ensure that only authorized personnel can access PII.
• PII is handled according to strict data handling and processing protocols, including secure data transfer methods and secure storage practices.

Technical Safeguards

• PII is encrypted both in transit and at rest using industry-standard encryption protocols.
• Edsoma maintains a strict regimen of applying security patches and updates to all software and systems to mitigate vulnerabilities and known security risks.
• MFA is enforced for all authorized users, adding an additional layer of security to protect against unauthorized access.
• To further bolster our data privacy and security measures, we utilize Amazon Web Services (AWS) as our trusted database and storage service provider. This allows us to leverage AWS's industry leading cloud infrastructure and security features to enhance the protection of PII. AWS offers a range of robust security features and compliance certifications, including but not limited to, ISO 27001, SOC 2, and PCI DSS, which align seamlessly with our commitment to data privacy and security. The use of AWS services ensures data encryption, redundancy, and access controls at the infrastructure level, complementing our internal technical safeguards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Educa

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educa is a private online sharing platform where teachers document and share children’s learning. It supports heart-led documentation, via Learning Stories, that in one motion meets reporting requirements and provides learning visibility – in other words, images and videos – helping families and teachers work together. In order for Educa to carry out these communication-oriented goals, it is absolutely essential that PII be readily accessible for all teachers, students, and parents that exist in the platform.

Type of PII that the Entity will receive/access: Student PII and APRP PII (Identifiable Teacher or Principal Annual Professional Performance Review Data). "Ideally Educa would have access to PII for teachers, students, and their parents. For example, all users in Educa must have a unique email address, which they use to sign into the platform.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “inside an MS SQL RDS database, hosted on Amazon Web Services in US East.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will reside inside an MS SQL RDS database, hosted on AWS in US East. All data to and from the database is encrypted in transit and at rest. Backups are also encrypted and hosted in AWS.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EducAide Software (for Problem-Attic)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EducAide makes an online question database covering all grades and core subjects (math, science, social studies and ELA). Teachers use the program to create tests and worksheets. Most use does not involve any student PII, because the materials are download and printed. As an option, teachers may create an online test. In that case, EducAide will receive student PII. It is used only for the purpose of scoring tests and delivering results to the teacher, who in turn will use it to calculate grades, fine-tune their instruction, and provide feedback to students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Linode servers (Akamai Technologies) and AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. EducAide collects the minimum amount of information to score a test and deliver results to a teacher, then deletes the information after no more than 180 days. To protect data and assure student privacy, EducAide:

• does not connect to any student information system or NYC DOE network service
• follows industry best practices for encryption and secure transmission/backup
• trains employes on data security techniques and legal requirements for student privacy
• maintains office security through passkeys, cameras and clean desk policies
• enforces use of two-factor authentication for logging in to cloud-based services, and
• password rotation for logging in to local network and client computers
• closely monitors servers and website traffic to prevent a security breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Education Analytics

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide technical assistance and perform data analysis to measure student learning for Annual Professional Performance Reviews (“APPR”) as approved by New York Education Law §3012-d.

Type of PII that the Entity will receive/access: Student PII and student-teacher linkage data.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Secure Data Transfer and Data Storage Protocols: All confidential data are transferred using EA’s secure file transfer solution. All client data in house is stored on EA’s file and backup servers, with access controlled via Active Directory. Our facility is locked 24 hours a day, 7 days a week, and entry requires authentication using a key fob with unique codes for each user. Within the secured office suite, the server room storing network devices and secure servers is locked 24 hours a day, 7 days a week, and entry requires authorization using a key fob with unique codes for each user.

Authorized Data Access and Data Destruction Policy: EA ensures that access to the data is restricted solely to staff who need such access to carry out the responsibilities of the project based on their role, and that such staff will not release such data to any unauthorized party as agreed by signing of EA’s non-disclosure agreement. Access to all computer applications and data at EA are managed and authorized at every step using the Windows Active Directory user ID and high security password procedures. Key personnel working on client data have federal security clearance and have undergone human subjects training on handling data. EA requires all staff to sign confidentiality agreements prior to providing data access. Also, EA prioritizes the ongoing training of employees and authorized users about laws governing the usage of sensitive data including FERPA and other appropriate state laws. More details on this topic can be found below. EA agrees that data will remain the property of the client. To this effect, EA has a data destruction policy which ensures that the electronic data stored on the EA file and backup servers are destroyed within the contracted time frames.

IT System Security: All internal servers deployed at Education Analytics shall be managed by an operational group that is responsible for system administration. Approved server configuration guides shall be established and maintained by this operational group, based on business needs.

IT Network Security: EA’s computer network storing the data ensures appropriate and secure data access by utilizing firewalls, an intrusion detection and prevention system and up to date anti-virus solutions. EA allows remote access only to authorized users using a remote gateway secured using SSL.

IT Risk Management and Contingency Planning: EA has a disaster recovery plan and a process for handling outages which will be utilized in cases a need arises. EA has redundant and uninterruptible power and internet infrastructure provisions in place. In case of data breaches, EA will notify its cyber security insurance provider about the breach and work with the provider to investigate the breach and inform the related parties.

Compliance with FERPA and Data Security Laws: EA is in strict compliance with data security and privacy laws including but not limited to FERPA, and ensures that its staff are trained on the required laws and kept up to date to gain knowledge about how to store, access and treat data records with a high level of security.

Security Audit process and Data breach policy: EA’s IT systems maintain incident, change management logs and allows for audits of the IT data security compliance. The security audit process will cover the following steps to identify, evaluate and analyze potential threats and fixes for evaluating the security requirements of EA’s IT system. In case of breaches to the student data or teacher or principal data, EA will activate its Incident Response Team. This team will investigate the breach and notify the educational agency owning the data as necessary in accordance with regulations. EA will promptly comply with any inquiries from the client based upon the client’s receipt of a complaint or other information indicating that improper or unauthorized disclosure of personally identifiable information may have occurred.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Education Analytics (for New Schools Venture Fund)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Starting June 2022.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EA is working with [New Schools Venture Fund] NSVF on a series of deliverables that serve to help NSVF understand the schools in their portfolio better. Using data from SEL and Culture and Climate surveys, along with MAP assessment data, this information will be utilized for a series of research questions along with a dashboard that displays school level data and subgroup data from the aforementioned surveys.

Type of PII that the Entity will receive/access: Student PII and Other (staff social emotional survey results)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A risk management strategy is in place to identify and detect data security incidents
• Data security protocols and procedures are in place to protect data access
• A security incident monitoring system is in place to identify cybersecurity events
• A data incident response plan is in place to ensure prompt and effective responses to any security breach
• A recovery process that ensures restoration of systems or assets affected by a security incident
• Access controls that is only provided to staff with a need to use information for the direct study and research purposes

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Educational Alliance

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educational Alliance is committed to providing quality community school services to students and their families. As part of our services, we have assigned a Community School Director at each school who oversees the community school program. On occasion, the Community School Director may need to access Protected Information to contact a student and/or their family.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Educational Alliance has implemented various administration, operational, and technical safeguards to protect Protected Information received under our contract. EA staff are prohibited from removing anything from school sites, and are provided regular updates on confidentiality and data security obligations. All paperwork containing Protected Information is securely locked away in a file cabinet, and only the Community School Director will have access to this locked cabinet further ensuring it remains confidential and secure. When the director needs to contact parents, they will utilize DOE systems and follow the guidance provided by the Department of Education for communication. Educational Alliance is committed to maintaining the highest level of security and confidentiality for all data entrusted to us.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “Because Educational Alliance does not collect electronic data, we will not encrypt PII information.”

Educational Vistas

Type of Entity: Commercial Enterprise

Contract / Agreement Start: 9/3/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educational Vistas is an education technology company that specializes in providing data-driven tools and software to streamline school and district operations, including assessment management, data warehousing, and performance tracking. Their services allow schools to sync student and staff data, automate class and roster creation, and manage assessments, such as Degrees of Reading Power and Degrees of Math Power, while also offering data warehousing and custom dashboard solutions for tracking and analyzing assessment outcomes and state test scores.

To enable these services, Educational Vistas requires specific student-level data, including student IDs, first name/last name, grade levels, gender, class rosters, school affiliations, and assessment results. This data is essential for auto-roster syncing, generating accurate assessments, and creating customizable reports like pre-slugged answer sheets, miscue analysis, and drill-down reports. Additionally, to support evaluation tracking and professional development, teacher and principal data, along with student learning objectives (SLOs), are integrated, allowing districts to develop insights into both student growth and staff performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Educational Vistas' programs and data are housed at Turnkey in Latham, NY which is a secure data Center. TurnKey is a 24/7 monitored facility that restricts physical access to the servers. The servers are also appliance and firewall protected from outside access. There are only 3 of our technicians allowed into the data center and the data center is required to call our offices before granting anyone access to the servers. The center requires physical sign-in to the facility as well. Data is housed on multiple redundant load-balanced servers within the facility. Backed up data is encrypted and has to be restored to the data center before it can be used.

Staff is instructed and trained to not store, remove, or share any customer data. We only use the customer's information in training the customer at the customer's site. Staff is trained on HIPAA Privacy, Security Rules, GLBA, which talks about safeguard procedures against fraud or identity theft and instruction about computer security, and FISMA (Federal Information and Security). We also comply with FERPA, which includes hiring contractors to minimize security risks. Every employee and contractor is required to sign a confidentiality agreement as part of their employment package. Educational Vistas provides this training in person annually, and includes training on NY Educational Law 2d.

Our IT security team monitors the servers for security related breaches, using advanced threat detection systems, encryption protocols, and proactive monitoring to identify and mitigate potential risks. In addition, we use regular security audits, employee training programs, and incident response plans to maintain a strong defense against evolving cyber threats. We require immediate notification of any security breach so we can in turn immediately notify our clients that a breach has occurred, and what was breached. Educational Vistas will notify New York City Department of Education within 24 hours of a cyber incident or other unauthorized disclosure. We have, to this date not had any security breach. Educational Vistas’s comprehensive breach response strategy is designed to address and mitigate the impact of a data breach should one occur, that complies with legal obligations, and improve organizational resilience against future incidents. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Eduware

The exclusive purposes for which Protected Information will be used: To provide the requested services and to ensure proper functioning of sites. To provide requested customer support and communicate with user.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Eduware, Inc. does not use subcontractors, however in the event that Eduware, Inc. engages subcontractors, assignees, or other authorized agents to perform one or more of its obligations under the AGREEMENT (including any hosting service provider) it will require those to whom it discloses Protected Data to execute legally binding agreements acknowledging the obligation under Section 2-d of the New York State Education Law to comply with the same data security and privacy standards required of Eduware, Inc. under the AGREEMENT and applicable state and federal law.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of that agreement without a successor agreement in place, Contractor shall assist NYC DOE and any educational agencies that contracts with NYC DOE for the provisions of Contractor’s products or services in exporting any and all student data and/or teacher or principal data previously received by Contractor back to NYC DOE or the educational agency that generated the student data and/or principal data. Contractor shall thereafter securely delete or otherwise destroy any and all student data and/or teacher or principal data remaining in the possession of Contractor or its assignees or subcontractors (including all hard copies, archivist copies, electronic versions or electronic imaging of hard copies of such data) as well as any and all student data and/or teacher or principal data maintained on behalf of Contractor in secure data center facilities. Contractor shall ensure that no copy, summary, or extract of the student data and/or teacher or principal data or any related work papers are retained on any storage medium whatsoever by Contractor, its subcontractors or assignees or the aforementioned secure data center facilities. To the extent that Contractor and/or its subcontractors or assignees may continue to be in possession of any de-identified data (i.e., data that has had all direct and indirect identifiers removed) they agree not to attempt to re-identify de-identified data and not to transfer de-identified data to any party.

[NYC DOE additional information: The current agreement became effective starting on December 1, 2020 and remains effective until November 30, 2027.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Student data and/or teacher or principal data transferred to Contractor by NYC DOE or NYC DOE officers, employees, agents, or students will be stored in electronic format on systems maintained by Contractor in a secure data center facility, or a data facility maintained by a board of cooperative educational services, in the United States. In order to protect the privacy and security of student data and/or teacher or principal data stored in that manner, Contractor will take measures aligned with industry best practices and the NIST Cybersecurity Framework Version 1.1. Such measures include, but are not necessarily limited to disk encryption, file encryption, firewalls, and password protection.

More specifically, data is stored in Amazon Web Services (AWS) which are served from data center in Oregon, United States. Servers are secured physically by Amazon, and virtually by installed firewalls and a strict authorization system. Additional security information about AWS system is available online at: https://amazon.com/security/. All data storages are only available through password/key protected instances. User passwords are encrypted in the database, so even Contractor’s high level system administrators can’t view sensitive password information. All of Contractor’s network communication is now encrypted under HTTPS. 

How the data will be encrypted (described in such a manner as to protect data security): Eduware, Inc. (or, if applicable, its subcontractors) will protect Protected Data in its custody from unauthorized disclosure while in motion or at rest, using a technology or methodology specified by the secretary of the U.S. Department of HHS in guidance issued under Section 13402(H)(2) of P.L. 111-5.

El Puente de Williamsburg (for Community Schools services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. El Puente is a human rights institution working to inspire and nurture leadership for peace and justice. As a Community Based Organization (CBO) partner, El Puente provides resources and support in the following areas: Attendance, Academic, Health and Wellness, Family Engagement. Using collected student and family data, El Puente conducts support to achieve school goals, monitors and evaluates targeted areas such improving attendance and academic achievement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., NYCDOE Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The entity will mitigate data privacy and security risks by adhering to the following:

• Utilization NYC DOE cloud systems (DOE email, Google Drive, etc.) when confidential information is disseminated or received.
• Implementation of 2 step factor authentication when signing in on cloud systems.
• Strict use of DOE and Entity computers, cell phone, software, etc. for both confidential and work-related information to maintain safeguards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

El Puente de Williamsburg (for Crisis Intervention services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 71/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. El Puente is working in partnership with the Department of Education in their Crisis Intervention initiative at EBC High School Bushwick. El Puente provides students with various engagement activities in the areas of leadership development, academic enhancement and community building with the goal of helping them build capacity to resolve conflicts and interact with their peers in positive manners. The way El Puente ensures the DOE we have provided services is by having youth sign into the activities. The signing sheets collected are provided to the DOE in order for El Puente to receive payment. Sign in sheets are uploaded to Google Drive to be submitted to the Department of Education as it is required for payment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Drive.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Youth who participate in the El Puente programs through the Crisis Intervention Initiative are asked to sign in providing First Name and Last Name. This information is strictly safeguarded and protected and it is only utilized to invoice the DOE for services provided. All sign in sheets are secured under a locked key. The Program Director and its supervisor has access to the files and safeguards the key. Sign in sheets are scanned and kept in the Google Drive of the administrator overseeing the program and the Director of Administration who utilizes the sign in sheets for billing purposes.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Elite Learners

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Elite’s Violence Prevention Specialists and Teaching Artists will work with youth groups to facilitate age-appropriate restorative practices including peer mediation, one-on-one mentorship and conflict mediation training activities designed to help address negative behaviors such as bullying, disruptiveness, and peer conflicts that impact youth self-esteem, academic achievement, peer, and familial relationships. PII will be used to record students’ participation/attendance in the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. OneDrive will be used if needed.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Elite Learners has guidelines to ensure that all individuals working under/with Elite and on Elite Learners’ projects/programs understand their responsibility in reducing the risk of compromise and take appropriate security measures to protect client data.
• Nondisclosure/confidentiality agreements are included in Elite Learner’s Employee Handbook and are signed upon new hire.
• Industry standard security measures including authentication and encryption protocols are used to preserve and protect Protected Information. Protected Information is encrypted at rest and in transit.
• Protected data is maintained in a secure data center managed solely by Elite Learner's employees.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Encyclopedia Britannica

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Services are digital encyclopedia services and PII, if any, will be provided solely for purposes of providing access to the Services or a feature contained therein.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS Cloud Services in the U.S. only.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Britannica employs physical, administrative, and technical safeguards based on currently available technology and industry best practices to promote the integrity and security of personal data. Those safeguards include, but are not limited to, measures for preventing access, use, modification, or disclosure of customer data by Britannica personnel, except to provide services and prevent or address service or technical problems; as compelled by law; or as expressly permitted by the customer in advance, in writing. In addition, our documented security and privacy policies provide a framework for maintaining effective and efficient internal security and privacy controls and practices in order to mitigate data privacy and security risks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Enhanced Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Enhanced Learning will co-create customized in-school, interschool and intraschool institutes, workshops and coaching modules to empower principals, school leaders, and new/experienced teachers with knowledge across the educational, social, and behavioral spectrums. They will also provide student services: supplemental instruction, counseling, tutoring, mentoring, parent engagement, professional development, and an extended year program. In the process, Enhanced Learning may need to receive, handle, and/or access protected student information to ensure an individualized approach and thus prompt optimal outcomes of provided services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option

and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google, Microsoft, Zoho.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards:

• Establish policies and procedures to manage security risks, conduct risk assessments, and implement security measures.
• Ensure proper training, authorization, and supervision of personnel handling PII.
• Control access to PII based on roles and responsibilities.
• Develop protocols for detecting, reporting, and responding to security incidents.
• Periodically assess security measures and adjust as needed.
• Establish agreements with external entities handling PII.

Technical Safeguards:

• Utilize Data Loss Prevention (DLP) rules to control content sharing and prevent unintended exposure of sensitive information.
• Customize policies to allow or restrict specific features or services for managed accounts based on user roles.
• Ensure that users handle PII in approved tools.

Physical Safeguards:

• Limit physical access to authorized personnel only and use mechanisms such as access cards, biometrics, and secure locks.
• Secure workstations (computers, laptops) to prevent unauthorized access. Implement screen locks and restrict access to sensitive areas.
• Safeguard hardware (e.g., servers, storage devices) and removable media (USB drives, external hard drives). Encrypt sensitive data on portable devices.
• Properly disposing of PII-bearing media (e.g., shredding paper documents, wiping data from hard drives).
• Educate staff on physical security practices 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Enome (for Goalbook)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Goalbook Toolkit is used by teachers to access our research-based instructional resources and personalize instruction more effectively. The necessary PII that Goalbook requires are: educator name, email, title, and school/district name, which are used to provision user logins to the Goalbook platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Your privacy and security are paramount and we are not in the business of selling your data. We comply with all federal, state and local laws governing confidentiality of your data and regularly review them for new or updated guidance and regulations. To clarify, Goalbook does not provide any student access, so COPPA does not apply. Goalbook’s infrastructure is hosted on a commercial provider, Amazon Web Services (AWS) which is fully SOC2 compliant. Goalbook itself is currently contracted and engaged with auditors to evaluate our SOC2 compliance. All of Goalbook’s AWS services and data are located within the US. Goalbook's security features also include the use of industry-standard encryption algorithms for server access, data storage, and data transit such as 256-bit Advanced Encryption Standard, TLS 1.2, SSL, RSA, and ED25519; strong network security; employee role-based access controls using the principle of least-privilege; regular data backups; employee security awareness training; export and deletion of customer data on request; and automated monitoring of any 3rd party library security issues and regular updates.

We will maintain an active line of communication with NYC DOE to ensure that we understand and comply with their evolving security and privacy requirements as well. We regularly audit, monitor, and log access to our systems, data, and applications to prevent and identify any data security or privacy incidents. In the event of any data breach, NYC DOE would be promptly notified and follow-up would include analysis and actions to prevent any future incidents.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

ENRICHEDNYC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide live, synchronous, high dosage academic tutoring services for students in Grades K-12, either one-on-one or in small groups of 2-4 students, both in person and online, primarily focused on accelerating foundational reading skills. PII is necessary to identify students receiving specific services and to monitor attendance and student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Docs.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• ENRICHEDNYC limits the collection of Student PII to ensure the privacy and protection of each student served.
• ENRICHEDNYC stores Student PII in databases and on servers powered by Google behind multiple layers of electronic safeguards.
• ENRICHEDNYC protects Student PII through various means, including implementing secure user authentication protocols, secure and limited access control measures, and data encryption on public networks.
• ENRICHEDNYC restricts access to NYCDOE Student PII to those with legitimate purpose.
• ENRICHEDNYC uses strict password protection including to use two-factor authentication and password protected cloud database.
• All employees and contractors associated sign an non-disclosure agreements.
• ENRICHEDNYC employs various encryption techniques for while data is in transit or stored.
• Backups for data storage are also encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Entourage Yearbook

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entourage Yearbook provides online yearbook design software and also offers production/printing and shipping services. Entourage Yearbook receives the following PII: student name, student grade, student’s teachers, photographs of students. If the school sets up online sales, at checkout we require a billing name, address and email address to send the confirmation to. The parent will fill out standard billing information including name, address, phone number, and email. If the school sets up individual shipping we will also require shipping information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Any custom content that you add to your personalized, custom yearbook (such as photos, documents and text) is only visible within the account that uploaded the custom content, and not to other users of the System.

Personal Information and Children’s Personal Information about our users is an integral part of our business. We neither rent nor sell your Personal Information or Children’s Personal Information to anyone.

The user profiles can have several different levels of access. Admins are reserved for the Yearbook Advisor at the schools. Editors are for people working on the yearbook and have to be approved or created by the yearbook admin. Users are for people contributing photos to the yearbook, again have to be approved or created by the yearbook admin. Mass users are for parents purchasing yearbooks or ads through our link site and do not have access to any part of the yearbook, or PII. Only the information they provide will be able to be accessed. All Admins, Editors, Users, Mass users passwords are encrypted. The access to the yearbook must be provided by the yearbook admin. Any changes to the levels of permissions are controlled by the yearbook admin.

The database information is stored in our protected server that is stored on the AWS cloudfront. Only senior level employees, which can include subcontractors hired at a senior level, i.e. Senior developers, can access the database, and they must be on the Entourage VPN and have the credentials. Entourage employees must be full-time employees, with over a year in the company to get certified to have access to the database. The Entourage VPN must be installed on the user's computer. The user must get credentials from the development team. The development team can revoke access to the VPN at any time. Once logged on, the VPN the employees can access the Remote desktop computers, they also must have usernames and passwords to those machines. The passwords must be updated every 90 days.

Your Entourage account Personal Information or Children’s Personal Information is protected by a password for your privacy and security. You may help protect against unauthorized access to your account and Personal Information or Children’s Personal Information by selecting and protecting your password appropriately and limiting access to your computer and browser by signing off after you have finished accessing your account. When you enter sensitive information (such as a credit card number) in our Credit purchasing process, we encrypt the transmission of that information using secure socket layer technology (SSL). Entourage endeavors to protect user information to ensure that user account information is kept private. Entourage, however, cannot guarantee the security of user account information. Despite Entourage’s best efforts, unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time. For additional information about the security measures Entourage uses in connection with the System, please contact us at help@EntourageYearbooks.com.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Epiphany Blue

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Epiphany Blue is an award-winning event planning and experiential services agency and New York City/New York State certified Minority and Women-Owned Business. We curate unforgettable event experiences, activations, workshops, and programs for companies and communities nationwide while providing clients with world-class service. Epiphany Blue is dedicated to creating youth leaders and personally and professionally fulfilled adults by facilitating workshops and events that aim to assist our participants with developing their vision of success and bringing that vision to life. Since its inception in 2006, Epiphany Blue’s programming has served over 25,000 youth, staff, parents, and adults.

Our services for youth include personal and professional development workshops, educational outings, thematic projects, and youth-centered events. Our services for parents and school staff include personal and professional development workshops and events, and retreats and conferences.

Epiphany Blue may receive PII for program enrollment, participation, or to track program and student progress. As required by the NYC Public Schools, attendance documentation at each workshop and event is required. Upon scanning information into our encrypted Google Drive, documentation is immediately shredded and destroyed. Surveys are also provided to program attendees; however, no identifying data is included in the anonymous surveys.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Epiphany Blue implements administrative and operational safeguards to ensure that staff who interact with this information do so responsibly and legally.

Administrative Safeguards:

• Policy Development and Implementation: We established clear policies regarding the handling of PII, including data collection, storage, access, sharing, and disposal.
• Staff Training: We regularly train our staff on data protection policies, ethical handling of PII, and the legal implications of mishandling data.
• Access Control: We implementing policies to control access to PII, Ensuring that only authorized personnel have access to sensitive information.
• Audit and Compliance: We audit data handling practices and ensure compliance with legal standards.
• Incident Response Plan: We developed a plan for responding to data breaches or unauthorized access incidents, including notification procedures and remedial actions.
  

Operational Safeguards:

• Secure Data Storage: We use secure, compliant systems for storing PII and regularly back up data to protect against loss.
• Password Management: We implement strong password policies and consider multi-factor authentication for systems that handle PII.
• Regular Software Updates: We keep all systems updated to protect against security vulnerabilities.
• Physical Security: We ensure the physical security of servers and computers where PII is stored.
• Data Minimization: We collect only the PII that is absolutely necessary for program services and avoid excessive data collection.
• Data Retention and Disposal: We have clear policies on how long PII will be retained and procedures for securely disposing of data that is no longer needed.

Monitoring and Evaluation

• Continuous Monitoring: Regularly monitor data handling practices and systems for any potential security breaches.
• Evaluation and Improvement: Continuously evaluate the effectiveness of data protection measures and make improvements as needed.

The Company adheres to the following data protection guidelines:

• Due to the nature of their position, only the person required shall access personal data.
• We protect access to personal data through strict administrative and technical access control including limiting access to data and implementing role-based access, verifying the identity of individuals trying to access personal data e.g. passwords or security questions), encryption, using firewalls and intrusion detection systems, MFA, and regular software updates.
• Data shall be reviewed and updated on a regular schedule. If data is determined to be outdated, no longer relevant, or needed, it will be detected or destroyed appropriately.
• We require express consent to collect personal data, and a clear notice will be provided to consumers of the collection of personal data use and sharing practices.
• When personal data is being used, the Company’s employees shall ensure computer screens computers are always locked when left unattended.
• Personal data should not be saved on desktops or local drives.
• Details on storing, using, and processing personal data shall be provided upon request.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Ernst & Young

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2017 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ernst & Young US LLP was contracted for co-sourcing assistance with the planning and execution of statutorily mandated internal audits of schools. In addition to the State-mandated school audits, Ernst & Young US LLP assists the DOE’s Office of the Auditor General (OAG) in performing internal audits and other related consulting services for other divisions with the DOE. These internal audit and related services shall cover, but not necessarily be limited to the DOE’s activities in the areas of expenditures for payroll, per session, per diem, and other costs, enrollment and attendance, custodial expenditures and operations, contract providers of general and special education programs and services, food, transportation, technological and facilities services, grants management and any other fiscal operational or business process matters. PII may be received or accessed in connection with the planning and/or execution of these services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall:

EY receives documentation that contains PII via the Department’s version of Microsoft Teams. DOE stakeholders sometimes send such information via email. Our team policy in this case is to move the documentation to our documentation retention platform (MS Teams) and delete the emails (and remind the stakeholders not to send such information via email).

Documents uploaded to Teams are then scrubbed for PII that is not needed for testing (i.e., redacted in PDF). We also receive various reports from the DoE with some Confidential Information on it, such as: a payroll file that includes name, employee ID, and amounts paid per session worked (i.e., hours worked on a specific job in a day x the pay rate = total pay for that job for that day), and an employee reimbursement file that will show employee name and address. These files have not been redacted as the information contained in them is required for sampling and testing.

Within 30 days of project completion, we archive all final work products (tens of thousands of pages of PDFs as well as the reports). All work products are maintained for 6 years after the end of the contract period. We have received requests for documentation in years following the completion of a project.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft M365.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted in transit and at rest and access to the data is restricted based upon role and need to know.

EY receives documentation that contains PII via the Department’s version of Microsoft Teams. DOE stakeholders sometimes send such information via email. Our team policy in this case is to move the documentation to our documentation retention platform (MS Teams) and delete the emails (and remind the stakeholders not to send such information via email).

Documents uploaded to Teams are then scrubbed for PII that is not needed for testing (i.e., redacted in PDF). We also receive various reports from the DoE with some Confidential Information on it, such as: a payroll file that includes name, employee ID, and amounts paid per session worked (i.e., hours worked on a specific job in a day x the pay rate = total pay for that job for that day), and an employee reimbursement file that will show employee name and address. These files have not been redacted as the information contained in them is required for sampling and testing.

Within 30 days of project completion, we archive all final work products (tens of thousands of pages of PDFs as well as the reports). All work products are maintained for 6 years after the end of the contract period. We have received requests for documentation in years following the completion of a project.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

eScribers

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: February 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reporting and transcription services for the Impartial Hearing Office. PII is transmitted to us in the course of our reporting on administrative hearings and so as to allow us to prepare accurate legal transcripts of the hearings.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our safeguard to ensure PII will be protected include:

• Routine and spontaneous risk assessments of our systems
• Secure access control
• Secure device configuration
• Up-to-date patch management
• Anti-virus and malware protection
• ISO 27001 certification (in the UK; US pending)
• Data Center Security
  • IAM roles to minimize access
  • Physically and digitally protected by AWS IaaS
  • AWS Cloud firewalls
  • VPN access
  • IAM users
  • AWS physical data center security measures

• Client Data encrypted in transit and at rest (min security requirement: SSL 256-bit encryption)
• Completed transcripts uploaded to DoE via SFTP
• Email Systems
• Anti-Spam and Phishing Detection software (Checkpoint Security, Avanan, Google).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Eskolta School Research and Design

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Eskolta School Research and Design Inc Services include:

• Research and Evaluation projects that use a mix methods approach
• Sharing Learnings through workshops, conferences and school intervisitations
• Eskolta fellows program to build leadership capacity in teachers
• Resource Development Tool Kits for Educators
• Coaching and Capacity Building for School Leaders
• Facilitated inquiry projects with individual school teams

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In any case where Eskolta received PII, all personal information (e.g. interview transcripts, names, contact info) is deidentified, stored on password protected devices of the research team, using a lookup code where appropriate, with the code key stored separately.

For many projects de-identified, linkable data will be sufficient for Eskolta and our NYCDOE partners to engage in data-centered professional learning and continuous program improvement.

Use an internal data base for client services. The data base will be password protected. Due to the organization being hybrid we use electronic communication for signatures and data collection. Staff is required to use agency issued computer device.

All of our files are behind a managed Google Workspace account that has explicitly defined permissions for all files with all users requiring 2FA to log into. This account is also monitored by our managed service provider for any unusual logons and suspicious activity. Local machines all have anti-virus installed on them as well.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

eSpark

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. eSpark is a web-based supplemental curriculum resource for math and ELA. PII is used exclusively for the purpose of rostering students and creating accounts. PII collected from authorized school officials for this purpose includes student names, unique IDs (to prevent duplicates), grade levels, teachers, and class enrollment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity states “If eSpark is not provided with notification that all usage is being terminated and/or if eSpark is not asked to immediate delete PII, the PII will be deleted in the last week of July.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. eSpark’s platform is built on the premise of “legitimate educational interest” as outlined in FERPA. The program’s role-based security ensures that student data is accessible only by those who have a right and need to access that data. We will never sell students’ personal information to third parties, we will never ask students to provide any personal information to us, and we will never send marketing messages to students or disclose student data to any company that would.

eSpark’s technical safeguards include industry-standard encryption while data is at rest and in transit. The program is constantly monitored for intrusions and our development lifecycle includes multiples checks and balances to test updates for bugs and vulnerabilities before they are pushed live to production. All eSpark data is securely hosted in the United States with Amazon Web Services.

eSpark employs the same level of care at the operational and administrative levels, with documented workflows ensuring that student data access is limited to those who need it to perform their duties under our contract agreements with our partners. All employees and contractors who may come into contact with student data are required to attend annual training on data privacy and security, and sign a student data confidentiality agreement before they can access eSpark systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Essential Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Essential Education provides adult education learning tools in both digital and print formats and provide students with test taking tools and skill development. PII is used to create user accounts, track student progress, and customize learning plans.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Essential Education maintains the following technical and operational safeguards:

• Security Breaches – Essential Education monitors databases and services for security breaches. Should a breach be detected, NYCDOE will be notified within 24 hours.
• Data Destruction –. Student data can be deleted by the District Administrator at any time and destroyed by Essential Education at a reasonably scheduled time, upon notification by DOE.
• Training of Employees – Essential Education provides onboarding training of all employees which includes privacy and security training. Any administrative level accounts require two-factor authentication.
• Security Design – Essential Education uses a VPC with separate subnets for public and private services.
• Vulnerability Monitoring and Mitigation – Essential Education scans for and track vulnerabilities in its production infrastructure. A vulnerability scan is run at least once per week.
• Data backups – Daily backups of the database are created and retained for approximately one month.
• Single Sign-On – Essential Education provides its own user management and authentication system, but also supports single sign-on integration
• Roles and Permissions – Essential Education provides a number of account types and can also customize the capabilities of these roles for individual customers to an extent.
• Multi-Factor Authentication – Essential Education staff are required to authenticate with MFA on a VPN to access the administrative control features of the application.
• Account Deactivation / Expiration – A system for automatically deactivating inactive student accounts is available and enabled by default.
• Password Handling – Specific password requirements must be met for all user accounts.
• Disaster Recovery Plan – Essential Education provides redundancy across two availability zones (A and B) in the us-west-2 (Oregon) region.
• Change Control - Essential Education uses various software tools, to track change requests and changes to the application.
• Firewall Policies- Certain administrative functions within the application are restricted by the application software to the Essential Education VPN. Essential Education allows access to its bastion server only from the Essential Education VPN. Changes to these restrictions require approval.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Essential Skills Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Essential Skills is an online learning platform for K‐6 and older remedial students. Basically, it’s educational software. Student names are used to identify students in the system, create student login credentials and to maintain a record of student progress in the Essential Skills platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Regular employee training is conducted on data privacy and security best practices including the proper handling of PII, password protection, and phishing scams. Access controls are implemented that limit access to PII to Essential Skills employees who need to perform their job duties. Two factor authentication has been implemented to verify the identity of users accessing sensitive systems and data. PII data is stored on a private cloud server. Any backups are encrypted and stored online. PII is not stored on any physical media. PII data is erased as subscription are cancelled.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Everbridge, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Everbridge grants access to our propriety communications SaaS solutions for emergency mass notification messaging, via email, phone, text, or mobile app. End users of the solutions provide their Client Data, which contains the names and contact information (email, phone) of the recipients of the messaging.

NYCPS comment: NYCPS is the “end user” and families’ contact information is the “client data.”]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Everbridge has implemented and shall maintain an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, including the measures described below.

• Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:
  • A badge-based access control system to control physical access and movement into and throughout Everbridge’s facilities; and
  • Processes and procedures to promptly remove facility access rights from terminated personnel.
• Access Controls – policies, procedures, and technical controls to ensure that all members of Everbridge’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:
  • Role-based access policies that restrict user access to systems and resources based on job responsibilities;
  • Processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs;
  • Strong authentication procedures for production environments that require a username, password, and multifactor authentication; and
  • The use of firewall and intrusion detection systems to log access events for review by authorized Everbridge personnel.
• Security and Data Protection Awareness and Training – a security and data protection awareness and training program for members of Everbridge’s workforce (including management), which includes training on how to implement and comply with Everbridge’s security and data protection program, and which all workforce members are required to undergo upon initial hire and annually thereafter.
• Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including:
  • deployment of an intrusion detection system to log access events and to monitor and restrict inbound internet traffic;
  • documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents; and
  • documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats.
• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:
  • documented business continuity and disaster recovery plans that include procedures to restore data and the functionality of affected systems, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
  • documented policies and procedures for the backup and recovery of data maintained in cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
  • periodic testing of Everbridge’s business continuity and disaster recovery plans.
• Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Everbridge facility, and the movement of these items within a Everbridge facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.
• Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:
  • logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
  • regular reviews of the logs for unusual or suspicious activity.
• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.
• Storage Security – technical security measures to guard against unauthorized access to Personal Data in storage, including:
  • encryption of data in motion and at rest in hosted environments use of a key management system to securely manage the lifecycle of encryption keys; and
  • use of full-device hard drive encryption to protection the confidentiality and integrity of information maintained on approved mobile devices.
• Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Everbridge’s security program.
• Testing – Regular testing and monitoring of the effectiveness of Everbridge’s security program, including through SOC 2 Type II audits of Everbridge’s solution performed by an external third-party auditor, and through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.
• Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Everbridge’s security program considering any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Everbridge or the Personal Data, and Everbridge’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EverFi

The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used for registration and use of EverFi courses.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everfi requires employees, subcontractors and authorized persons or entities that receive student data or teacher or principal data to sign agreements that include appropriate confidentiality obligations that covers such data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: EverFi will return or destroy such data in accordance with the terms of this agreement.

[NYC DOE comment: The current agreement became effective starting on March 5, 2020 and terminates when all NYC DOE schools and/or offices cease using EverFi, Inc.’s products/services. The terms of the agreement remain effective through the period during which EverFi, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients.[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be sorted in the U.S. (within contiguous 48 states) in accordance with EverFi’s Data Security Policy. Please see EverFi’s “Data Security Policy” for more details.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest and in transit (AES-256 encryption algorithm). Database connections are vial SSL protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384.

Evergreen Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Evergreen Technologies provides staff augmentation to DOE offices for a range of services. We have high-level proficiency in supplying all areas of IT; Emerging Technologies, Big Data, Engineering Support, Enterprise Data Management, Business Analysis, Application Development, Infrastructure, Cyber security, IT Compliance, Cloud Solutions & Project Management. All consultants will work on DOE systems only, and in doing so, may have access to student information. However, it's important to note that handling PII will be done in accordance with privacy regulations and best practices.

Site Surveys: The surveys may involve collecting information about individuals at the sites, such as names, contact details, and specific roles related to the integration, cabling work, and network setup.

Vendor Management: Managing client vendors may involve handling PII, especially if communication involves individual representatives from those vendors.

External Meetings: Coordinating on-site meetings with schools could involve gathering and handling PII of school staff or participants in those meetings.

Documentation: Maintaining a central repository for project documents and updating project related documents may include PII such as names and contact information of individuals involved in the project. Given these potential scenarios, it's crucial for Evergreen Technologies and its employees involved in the project to be mindful of privacy and data protection laws. We will implement appropriate measures to ensure the confidentiality, integrity, and availability of any PII that may be accessed or processed during the course of the project. This includes obtaining necessary consents, ensuring secure transmission of PII, and adhering to relevant data protection policies and procedures.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Evergreen Technologies asserts that it will not store any Personally Identifiable Information (PII) or confidential data outside of the secure systems controlled by NYC DOE.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Considering that Evergreen Technologies will not host or manage the data, but will only have access to it, the safeguards that we will have in place are as follows:

• Comprehensive Access Controls: We will implement stringent access controls to regulate access to the Protected Information, ensuring that only authorized personnel can access the data.
• Robust Administrative Safeguards: We will establish Administrative safeguards which will involve establishing and enforcing policies and procedures to govern how our employees interact with the Protected Information. This includes training programs to ensure adherence to security protocols.
• Operational Safeguards: We will establish Operational safeguards which will focus on defining and implementing secure processes for handling and interacting with the Protected Information during the course of tasks.
• Technical Safeguards: While not hosting the data, we will comply with the technical safeguards such as encryption, secure communication channels, and authentication mechanisms to protect the data during access and transmission.
• Meeting Industry Standards: We will commit to aligning our security practices with industry standards, despite not hosting the data. This ensures that its access protocols and security measures adhere to recognized best practices.

In summary, these safeguards are adapted to the specific role of Evergreen Technologies as an entity with access to, but not the host or manager of, the Protected Information. The emphasis remains on securing the data during access and ensuring compliance with industry standards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Everyone Reading

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: September 2023 – June 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our training provides prevention and intervention strategies to familiarize educators with multi-sensory language education strategies to be used in general and special education classrooms and in Multi-Tiered Systems of Support, Response to Intervention (RTI) and Academic Intervention Services models of support. We provide virtual workshops and on-site training specifically on assessment and data interpretation, as well as including necessary discussion of those topics in all of our other workshops. The area of assessment includes baseline data such as attendance, school mobility, hearing and vision, home language, standardized test scores, report card grades and comments, individual, group and schoolwide assessments on such instruments as Acadience, KeyPhonics, PAST, early childhood assessments, such as the Early Screening Inventory (ESI-R), work samples and observational data. As appropriate, we also look at sample Individual Educational Programs (IEP’s) and psychosocial evaluations.

Type of PII that the Entity will receive/access: Student PII. “All participants will be asked to de-identify all student data. However, data may include multiple modalities such as writing samples, benchmark assessment data and progress monitoring reports. These multiple modalities together may lead to identifying different students if they are not correctly de-identified. Any student data will be used only during professional development sessions in real-time alongside participants. No data will be stored physically or electronically by Everyone Reading.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Data will not be stored at any time during the duration of the agreement, and will not need to be deleted or destroyed.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will be used in real-time with professional development participants. In all sessions any assessments, work samples, records, other forms of data that may contain identifying information will be kept in the possession of participants, with Everyone Reading facilitating data analysis.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Evolution Labs (EL) (for Suite 360)

The exclusive purposes for which Protected Information will be used: For the purposes of administering and assessing learning related to the subject material of the program.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data is only shared with Evolution Labs employees with a demonstrated need for that information (i.e. developers, DBAs, Client Services etc). Each EL employee receives annual training on protecting user data. Data is never shared outside of EL.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: NDA begins on August 27, 2020 and is sustained indefinitely until/unless either party terminates the agreement. Upon expiration of the agreement, archived data is kept for 12 calendar months upon which time it is destroyed. Accelerated deletion of data can occur upon request.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US and all databases are encrypted and protected with industry standard security.

How the data will be encrypted (described in such a manner as to protect data security): Databases are encrypted at rest. All programs utilize industry standard encryption.

ExpandED Schools

Type of Entity: Research Institution or Evaluator; Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/31/2022 – 8/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement covers multiple projects, and thus the type of PII collected and for which purposes will vary. PII may include, but is not limited to:

• names of students participating in relevant DOE initiatives, their parents and guardians;
• student OSIS number;
• student’s date of birth;
• school affiliation, district, and grade;
• school-day and afterschool attendance;
• state test scores or other academic achievement information (e.g., report card grades)
• Race, ethnicity, special education status, language spoken at home and English Language Learner status.

If collected, all information will remain confidential solely between relevant parties (DOE, ExpandED Schools, and any subcontractors where applicable, who are subject to the same rules and regulations governing ExpandED Schools’ access to these data). If collected, processing PII will allow ExpandED to identify youth who would benefit most from the supports we are offering, as well as to track whether students improve outcomes as a result of participation in our supports.

Type of PII that the Entity will receive/access: We are not aware of which types of data will be required at this time, but it is likely that we will be collecting student and/or educator PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; (i.e. if data are transferred via a cloud-based tool, ExpandED Schools will use a secure Sharepoint link to transfer and store data, ensuring that only those who require access are granted access); and using an entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.

ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:

Administratively:

• ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
• ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.

Operationally and technically:

• ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
• If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
• ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
• If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.

All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.

Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.

Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.

All confidential information will be returned or destroyed upon termination of services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ExpandED Schools (for tutoring services)

Type of Entity: Research Institution or Evaluator and Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ExpandED Schools (ExpandED) is the lead organization, working in direct partnership with New York City Public Schools (NYCPS), implementing a large-scale tutoring effort, serving 10 NYC school districts, including 71 elementary and middle schools, in school year 2022-23. ExpandED and NYCPS have secured private funding to allow for each participating school principal, working in collaboration with their district superintendent, to develop a tutoring plan, choosing from a menu of tutoring service providers who meet a predetermined set of criteria. Tutoring will either focus on literacy in grades K-2, or math in grades 6-8. ExpandED will: (1) facilitate tutoring program design sprints and support school with program development; (2) coordinate data collection and analysis for continuous improvement; (3) provide ongoing coaching and support for school-based implementation; and (4) communicate regularly with updates for all stakeholders.

To effectively meet the aims of the joint goals of this initiative, ExpandED and its subcontractors will require access to the following Student Personally Identifiable Information (Student PII): (i) names of students participating in this tutoring program, their parents and guardians; (ii) student OSIS number; (iii) student’s date of birth; (iv) school affiliation, district, grade, ELA and/or Math classroom, and homeroom; (v) school-day, afterschool, and tutoring attendance; (vi) literacy and/or math screening assessments in order to target the tutoring intervention to students for whom it is most appropriate; (vii) literacy and/or math achievement data, including marking period grades and/or state test scores, to examine whether tutoring successfully improved student outcomes; (viii) Race, ethnicity, gender, housing status, special education status, language spoken at home and English Language Learner status.

As different schools will decide on different implementation plans for their tutoring programs, ExpandED and its subcontractors may also need to access DOE employee PII, such as: (i) names of teachers and other school staff participating as tutors in the program; (ii) Race, ethnicity, gender, and other demographic information; (iii) employment status, including number of years the individual has been employed as a teacher or other school staff within NYC and elsewhere.

Type of PII that the Entity will receive/access: Student PII and “depending on the type of tutoring program selected by the school, we may require identifiable information for DOE employees leading tutoring activities, such as teachers or other school staff.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “We plan to use SharePoint; we may introduce additional cloud or infrastructure owned tools as the project progresses; we will update this agreement and related forms prior to making any changes.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.

ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:

Administratively:

• ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
• ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.

Operationally and technically:

• ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
• If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
• ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
• If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.

All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.

Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.

Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.

All confidential information will be returned or destroyed upon termination of services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology." 

Experis US (for staff augmentation for the Special Education Office)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 5/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Experis’ services will support the timely identification, evaluation, and placement of all students in an appropriate educational setting. Experis will provide the tools and resources required to adequately test the primary special education processing systems, address end-user escalations, train all appropriate NYCPS staff who require the system to perform their job responsibilities, and develop the reporting infrastructure required to meet operational, management, and regulatory reports.

PII will be accessed for project management, developing initiatives, providing adequate support, troubleshooting issues, and creating reports.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Entity.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: No PII will be stored or hosted by Entity.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Require annual third-party security privacy and awareness training for staff and subcontractors
• Implemented malware protections on all devices and accounts.
• Granular event logging employed to assist with security incident response.
• Network access will only be from secure, known networks, secured by a network firewall, and not utilize any unknown, public, or open networks.
• All software will be kept current and patched.
• Employing best practices including:
  • Local user accounts will utilize a strong password.
  • The system automatically locks after 30 minutes of inactivity.
  • Hardware used by staff/subcontractors will be securely stored when not in use
  • Staff/subcontractors will conduct work in a private location away from non-DOE vendor resources and lock their screen when anyone unauthorized has visibility of their work area or screen.
  • No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.
  • Staff/subcontractors will submit a ticket in the event they need additional software or access.
• Access to PII data shall only utilize role-based access controls, provide least privilege access, be limited to authorized persons whose job responsibilities require access, and all access will be logged to an external source sufficient to determine who, what, and when DOE data was accessed.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Experis US (for SMART Intake)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 04/3/2023 – 3/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This project will build an online tool with the help of the vendor that can be used to conduct the intake process and perform assessments for the Office of Students in Temporary Housing (STH). Automation of process and using data from current DOE system that houses PII data to validate student information will allow support staff to best serve students and families in need. Additionally, canned and ad-hoc reporting functionalities using data from current DOE system that the vendor will help to build will allow DOE staff to make decisions to improve allocation of service resources and supports to better serve our students and families in temporary housing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud service providers) and agrees not to share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: PII will not be transmitted to Experis and Experis will not host or store any PII from DOE.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to PII data shall be limited to authorized persons whose job responsibilities require it. Any incidents in data security storage or handline or un-authorized access to protected client information will be reported to DOE immediately. No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Experis US (for the Social Worker Information Management System (“SWIMS”)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 04/3/2023 – 3/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vendor will access certain PII in connection with integrating the Social Worker Information Management System (“SWIMS”) into DOE databases such as NYCDOE Single Sign On Identity Provider (IDP) and Student Information System. SWIMS will house all records for DOE case managers, provide a mechanism to create new cases, edit existing cases and provide an easy system to track social workers’ services across DOE. The SWIMS database will include information such as Student First Name, Student Last Name, and Student ID and the data will be encrypted.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vendor resources are all vetted in DOE’s Personnel Eligibility Tracking System (PETS) and they will have DOE assigned user name and password. Any access to DOE systems will be monitored as per DOE guidelines. The vendor resources will also sign and follow the Experis Data Privacy document. Vendor resources will not have access to production data. Data in production environment will be encrypted. Access to PII data shall be limited to authorized persons whose job responsibilities require it. Any incidents in data security storage or handling or un-authorized access to protected client information will be reported to DOE immediately. No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

ExploreLearning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 5/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ExploreLearning is an education technology company creating seriously fun web‐based learning solutions for the most critical challenges facing K‐12 STEM education. Our programs are state‐ and national‐standards aligned, including Next Generation Science Standards (NGSS) and the Standards for Mathematical Practice (SMP). We help teachers bring engaging instructional strategies to classrooms in every state in the U.S. and more than 80 countries worldwide.

ExploreLearning products include:

• Gizmos is a website offering interactive simulations and case studies for math and science, using structured inquiry and experimentation to help students understand concepts. With more than 450 Gizmos covering STEM topics for grades 3‐12, students can dig deeper into tough‐to‐teach concepts as they form, analyze, and test ideas to find solutions.
• Reflex is a math fact fluency website for students in grades 2–8. Using adaptive learning, Reflex builds student mastery with basic math facts in addition, subtraction, multiplication, and division. Students cycle through assessment, instruction, and academic practice personalized to maximize their progress. With lively characters, game‐based challenges, and incentives for achievement and effort, students engage deeply in their progress.
• Science4Us offers blended learning designed for students in grades K‐2, combining web‐based lessons and academic practice with offline teacher‐led instruction and hands‐on extension. The cross‐curricular approach reinforces literacy and math standards, featuring interactive games, songs, virtual notebooks, experiments, and more. Science4Us includes 28 modules (covering topics in physical, life, and earth/space science) and lessons take as little as ten minutes to complete.
• Frax is an adaptive learning website that uses story‐driven, game‐based lessons to help students in grades 3‐5 learn fractions. Frax utilizes the latest research‐based instructional methods, with fun challenges and motivating rewards to ensure that students build mastery in fractions concepts. Students practice with visual models and number lines to reinforce the essential knowledge that fractions are numbers too!

Customer PII is encrypted at rest and in transit using industry standards such as BitLocker, AES 256, and HTTPS and TLS 1.2 and higher.

The DOE student demographic data collected by ExploreLearning is data entered/provided by DOE educators and administrators. The same data is made available solely to DOE educators and administrators for their own use in reporting. DOE PII data is not used by ExploreLearning for any system testing or system reporting. DOE PII data is not used outside the scope of services of this agreement. Aggregate data may be used for our research and analysis of our customers’ use of and experience with our products and services, for the development, improvement and optimization of our educational products and services for the DOE. DOE PII data will only be used in accordance with performing the contract at DOE’s direction.

Additional educational information is collected as the child progresses through the service, such as amount of time logged in, reading rate, and assessment scores. This information allows the service to adapt to the child and inform the teacher on the child’s progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

• The Company has a formal onboarding and off‐boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
• The Company provides student data privacy training to all employees and contractors who access our network.
• The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Family Life Time Solutions (for #SameHere)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2021 – 9/1/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The #SameHere Teacher and Student Apps allow teachers and students to share their feelings in a secure app setting. The app acts as an emotional thermometer. It is not diagnostic, and it does not make recommendations. It strictly allows student to tell teachers how they are feeling, and to track those feeling trends over time.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Log systems are in place so as to identify unauthorized access of the databases. Vulnerability assessments are done periodically to identify any threats or risks. OWASP Top 10 is being followed as much as possible. Also WAF are implemented to avoid DDOS attacks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FEV Tutor

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. FEV Tutor provides high-impact tutoring for Grades 3-12 through an online, interactive whiteboard with a live adult.

As part of our implementation process, we can integrate with a school’s existing SSO and LMS. Doing so allows us to quickly roster students in our system and build a benchmark of their current academic aptitude, which lets us more accurately target their needs.

The integration process inherently involves some PII, including name, Grade, and which school the student attends.

We manage this process according to strict guidelines, and have One Roster 1.2 and LTI 1.3 certification through 1EdTech. These are considered industry-leading certifications for managing student data.

At the discretion of the client, standardized benchmark test results for students may be shared using secured API integrations of secure file transfer in order to evaluate student learning gains and the efficacy of the tutoring implementation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Oracle Cloud Infrastructure (OCI) and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards:

Our administrative measures include a rigorous framework of policies and procedures that govern the handling of PII. This framework is underpinned by a training program for all staff members, emphasizing the importance of data privacy and security and their roles in maintaining it. Access to PII is strictly governed by role-based permissions, ensuring that individuals are granted access only to the data necessary for their specific job functions. Regular audits and compliance checks are conducted to ensure adherence to these policies and procedures, with corrective actions taken as necessary to address any identified deficiencies.

Technical Safeguards:

On the technical front, we utilize state-of-the-art encryption techniques to protect PII both in transit and at rest, ensuring that data is unreadable to unauthorized individuals. Our password policy mandates strong, unique passwords, supplemented by multi-factor authentication to add an additional layer of  security. Access controls are meticulously managed and reviewed to prevent unauthorized access, with automatic log-offs and session timeouts implemented to minimize the risk of unauthorized data exposure. Regular vulnerability assessments and penetration testing are conducted to identify and remediate potential security weaknesses, ensuring our defenses remain robust against evolving threats.

Mitigating Data Privacy and Security Risks:

We adopt a proactive and dynamic approach to mitigate data privacy and security risks. This includes continuous monitoring of our data protection measures, regular updates to our security protocols in response to new threats, and swift action to address any potential vulnerabilities. Our incident response plan outlines clear procedures for responding to data breaches or security incidents, ensuring rapid containment, investigation, and notification in compliance with legal and regulatory requirements..

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Find Your Grind

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Find Your Grind provides curricula for students in grades 6th-12th and professional development services for educators that support students in their self-discovery, career exploration, and career planning journey. We collect PII to create student accounts, service students access to the platform and for educator tracking and progress monitoring.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The key points of Find Your Grind’s technical safeguards include:

• Incorporating automated security scanning into the platform
• Automatic threat detection and monitoring
• Implementing a vulnerability assessment solution
• Encryption all the way through (SQL TDE, HTTPS between services, etc)
• Penetration Testing
• Two-Factor Authentication where possible
• Authentication and Authorization

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Finding Focus (through University of California Santa Barbara)

Type of Entity: Public, Not-for-Profit University

Contract / Agreement Term: 8/01/2021 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Finding Focus is an online course that is intended to help high school students learn how to improve their focus and emotional resilience. Students use their names and email addresses to securely create accounts. These accounts allow each student to receive a personalized learning experience, and it also makes it possible for teachers to track their students’ progress throughout the course. PII is used exclusively to provide this educational service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Upon expiration of the agreement, protected information will be stored securely for the duration indicated by the NYSED Education Retention Schedule ED-1 and then deleted.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We follow best practices in workstation management and secure application development. Our cloud services are provided by industry leaders with excellent reputations for providing and maintaining security. All data is encrypted in transit according to industry standards, and PII is also encrypted at rest. We continuously monitor for potential security vulnerabilities through third-party services, and we apply all patches and updates needed to reduce exposure to identified vulnerabilities. A quarterly risk assessment is also implemented to identify and remediate any emerging security risks. Early warning signs of a data breach are regularly monitored, and an incident response plan is in place to ensure a rapid and effective response in case a breach does occur.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

First MedCare

Type of Entity: Article 28 licensed health care facility

Contract / Agreement Term: 7/1/2024 – 6/30/2032.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are providing School Based Health Center – Dental services within DOE facilities. This information is needed for all students attending campuses served by our health care facility, regardless of consent status, to facilitate the provision of needed dental services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “We will securely store all PII and will store as required by laws concerning medical records.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Business.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Controlled access cards are required to enter our facilities. We also have security cameras recording 24/7. Our network has firewalls and action directory group policies that set rules to control access and what can be done on computers. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Fishtank Learning

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Fishtank Learning is a digital curriculum platform offering high-quality core ELA and math curriculum materials. This project would make Fishtank’s 6th-8th grade ELA curriculum available to NYC schools for use by teachers. The curriculum is currently accessed only by teachers via Fishtank’s website, www.fishtanklearning.org. Students do not create accounts. This part of the service does not require PII.

Fishtank Learning’s new application, Fishtank Student, will allow teachers to assign work directly to students and allow students to complete assignments on the platform. If schools choose to pilot the new platform, PII will be accessed to track student progress and provide students with feedback. PII is needed to make student accounts and track student progress in completing ELA assignments. PII is needed for teachers to grade and provide feedback on student work, to identify areas where students need further support or instruction and communicate with students about their progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku  Postgres, AWS S3

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Fishtank Learning uses industry best practices to ensure data safety and security. Employees will be given limited role permission within Fishtank applications to only access necessary data. Contractors will not be granted administrative access to databases that contain student data.

Fishtank Learning uses TLS and HTTPS, which encrypts all data before it leaves the Fishtank learning servers and protects that data as it transits over the internet. All of our Services are hosted by Heroku, Amazon Web Services (AWS), and served securely from Cloudflare. All personal identifiable information is encrypted at rest using modern encryption algorithms.

Virtual access to administrative controls and information within applications is strictly limited to essential engineering staff and support, with user support receiving less access than engineers. Credentials and access to our applications are removed when a staff member leaves the organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FMYI, Inc (also called Grouptrail)

The exclusive purposes for which Protected Information will be used: NYC DOE Bridge for All Program.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: There is no sharing of the student data by Grouptrail for NYC DOE Bridge for All. If there was, we will have the subcontractor sign an amendment to our agreement that includes these data protection and security requirements required by this non-disclosure agreement with the NYC DOE.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of our relationship with the NYC DOE related to this agreement, the protected information is deleted. Decommissioned media utilizes techniques detailed in NIST 800-88.

[NYC DOE comment: The current agreement became effective starting on June 26, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which FMYI, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is stored in the US. 

How the data will be encrypted (described in such a manner as to protect data security): SSL for data in transit, network firewall, and encryption at rest.

FOCALPOINTK12

Follett School Solutions (for Destiny Solution)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Follett School Solutions, LLC is providing its Destiny Solution to entities within the DOE. The Destiny Solution includes modules such as Library Manager and Resource Manager, which help schools purchase and track library and other school-related resources and information. PII is collected for related reasons, including to, for example, track which students have checked out which books.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Destiny has multiple levels of data security Session-level authentication—All data access within Destiny is routed through a layer that checks authentication credentials and permissions on each request. User Interface security—The Destiny interface presents different options based on the permissions associated with the users.

The Destiny application does store within its own internal database student/staff demographic data and information regarding the usage of district/school resources (Checkouts, Holds, Fines, Reviews, etc.…) by students and staff. Access to this data is restricted to district staff based on configured permissions and access levels. Customers can have Destiny installed locally within the district’s technical environment or hosted by Follett. The data for Destiny is managed/stored in a Microsoft SQL Server database. Follett supports encryption of the data under SQL Server in an optional configuration. The database is protected through Microsoft SQL Server security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Follow Us

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Follow Us provides elite college, career, academic, and social-emotional learning (SEL) prep for K-12 students, at a non-elite price to ensure ALL students experience a smooth transition between elementary school, middle school, high school, and post-secondary education. Our emphasis is on helping underserved student populations from urban and rural backgrounds to close the postsecondary achievement gap.

We provide a wide range of student support services for schools to choose from. Our programming follows two main pathways, with additional bespoke services for English language learners (ELL) and undocumented students

• College & Career Readiness, including college application completion, financial aid, SEL workshops, career exploration, financial literacy workshops, and structured mentorship
• Academic Support, including interventional tutoring, SAT / ACT prep, graduation exam prep, and Gifted & Talented (G&T) early-prep programs.

Our services also include parent engagement and professional development (PD) programs.

Based on the insights we have gained from delivering services programming, we have built CarrotPath (https://carrotpath.com/). CarrotPath is a platform designed for schools and organizations that provide support services to underserved students to increase their likelihood of graduating from high school and continuing to higher education. We aim to:

• Help students pursue their goals within an SEL-based foundational context and achieve their personal, academic, financial, and college / career aspirations.
• Help students grasp key financial literacy concepts as it relates to college & career readiness
• Enable program staff (administrators, program managers, counselors, teachers, etc.) to more effectively engage with their students and to better measure and track the impact of their support.

Follow Us and our CarrotPath platform use student data collected from, or on behalf of, an educational organization to more effectively deliver support services programming to students; to assess and understand individual student needs, goals, and outcomes; and to analyze and track results/impact at the overall program level.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, Google Cloud Platform, Microsoft Azure, Digital Ocean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Follow Us only uses software that holds PII that is FERPA compliant. All staff are informed of our data privacy and security policies and trained in how to keep information secure. In addition, we have engaged a technology consultant that reviews our data security systems and provides ongoing security training of staff and monitoring. Any potential breaches or unauthorized attempts to access data we store are quickly reported and responded to by this consultant. The administrative, operational, and technical safeguards in place that protect PII center upon both accessibility to data and data storage. Data is only accessed by employees and/or agents working with the associated program for the duration of the program; afterwards, their access is revoked. Data storage is limited to Follow Us’ Google and/or Dropbox accounts. Furthermore, both the Google and Dropbox accounts used by Follow Us are password-protected. Each user has a unique account with their own password. Employees and key agents that work with PII use either Macbooks or PCs that have the standard security protections that are provided by the manufacturers, Apple and Microsoft, respectively. All laptops require a password to access, and are in the physical possession of these employees and agents.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Foresight Advisory and Consulting

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/15/2023 – 7/14/2024; renewal is optional upon request by Queens Academy High School.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Foresight Advisory and Consulting Inc, (referred to as “Foresight”, “we”, “our” and “us”) is contracted to provide the solution, Virtual Administrator, for data analysis for Queens Academy High School (“School”). The Virtual Administrator (“Analysis”) is an Analysis that provides insight into the School's overall performance, specific Cohort information and tracking, as well as the school's standing in respect to the New York State, Every Student Succeeds Act Accountability Metrics.

The Virtual Administrator is created by incorporating several reports generated by the School's internal systems including ATS and STARS. The reports will be prepared by a NYC DOE employee designated by the School. Virtual Administrator is then run on a desktop device that is located and owned by the School. The Virtual Administrator tool does not access or require the internet or any network. The analysis is provided to the School and is henceforth wholly owned by the school.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Virtual Administrator tool is deployed on a NYC DOE device without the need to or ability to connect to internet or networks. Only authorized Foresight personnel are provided access to personal information and these employees have agreed to maintain the confidentiality of this information. The resulting analysis is saved on that same device and the tool does not record or store any data. Foresight ensures the safety of all internal processes with various cyber security solutions such as double encryption software, firewall protection, malware identification with machine learning (ML) and behavior protection software to name a few. However, the Virtual Administrator tool is administrated only on DOE desktop device and the data is not stored or transferred anywhere else. The Virtual Administrator is encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “The Virtual Administrator tool uses VBA and Excel macros, all of which has been scanned to ensure that there is no capacity to retain or record data.”

Foundations in Learning (for WordFlight)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Foundations in Learning, LLC provides WordFlight, an assessment/intervention system to help students become fluent readers. Foundations in Learning uses the Enrollment and Performance information collected within WordFlight in order to create a variety of reports and email communications for the students’ teachers in order to inform them of progress and assist them in providing a greater level of targeted assistance and instruction to the student. Depending on the program, we also use the information in order to adjust the program while the student is working within it in order to provide a more effective educational experience for the student. FIL may use de-identified student data for the purpose of improving the services only.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Any sensitive online information is transmitted over secure, encrypted channels via SSL as well as other layers of encryption. All student data are stored on secure servers utilizing encryption and firewall technology and are not publicly accessible. All student performance data is stored in a non-identifiable format. Security audits are continuously performed to ensure data integrity. Access to the hosting environment and encrypted data is currently limited to one employee. This access utilizes AWS authentication with MFA controls. This same employee has received FERPA 101 and 201 trainings, is preparing for the AWS security certification exam, and is generally knowledgeable with security best practices. An incident response plan will be implemented.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FranklinCovey Education (for Leader in Me) 

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2023 – 12/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Leader in Me online is a web-based application that provides resources, professional development, curriculum, and an anonymous survey given to students, staff, and parents to assess the progress of the implementation of our services. Staff are provided logins to the Leaders in Me online to access all these resources. High School students are offered 4 courses either using a LTI integration into your LMS or if needed access to our LMS can be provided to students where we would collect student first name, last name, and email address so they can login and take the courses. We prefer the LTI method so student data stays in your LMS system. This is the only case where we might collect student data. All other data collected is staff data for the Leader in Me online which consists of first name, last name, and email address with phone number being optional.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontracted, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is stored in a Postgresql database using encryption of data at rest and encryption of data in transit. All database traffic is isolated in a private VPN behind a firewall. All web traffic is served over HTTPS, and no user information is available in the public domain. No PII data is transferred and used in any development environments or for any purposes outside of Production servers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Fuel Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 6/30/2030.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor providers digital core, world language, and elective content via our proprietary platforms. Processor requests a first name, last name, and email address to create a user profile. The data is required to ensure we know who we’re talking to when contacted for support and provides us with a way to contact a user with password reset requests.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Fuel Education LLC will securely delete obfuscate, de-identity, render unreadable or otherwise destroy PII.”

Challenges to Data Accuracy. “Fuel Education LLC is not the system of record for NYC DOE student/teacher/admin records. NYC DOE administrators will have access to update user data in real-time.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To reduce the risk of unauthorized access, maintain data accuracy, and secure the correct use of information, Fuel Education LLC uses commercially reasonable physical, electronic, and managerial processes and procedures to protect the any PII collected by Fuel Education LLC. Fuel Education LLC also use Secure Sockets Layer (SSL) protocol on account information and registration pages to protect PII. Fuel Education LLC’s technologies, safeguards and practices align with the NIST Cybersecurity Framework.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Futures and Options

Type of Entity: Community Based Organization

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Futures and Options will be providing career-readiness support services to students. We will work with schools to enroll students in activities that support their exploration into the world of work, as well as internships and mentoring. PII is required for us to deliver these services, because we will need to collect names, grade in school, and student contact information in order for us to enroll, evaluate and teach our curriculum and programming to students. We will be receiving student PII during our delivery of program services, such as career workshops and workbased learning projects.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Futures and Options technologies, safeguards and practices align with the NIST Cybersecurity framework, and include sufficient:

• Data privacy protections, including processes to ensure that personally identifiable information is not included in public reports or other public documents; and
• Data security protections, including data systems monitoring, encryption of data in motion and at rest, an incident response plan, limitations on access to Protection Information, safeguards to ensure Protected Information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of Protection Information when no longer needed.

Futures and Options agrees to use encryption technology to protect PII while in motion or in its custody from unauthorized disclosure using a technology or methodology as required by New York Educational Regulation 2-d. Futures and Options' data is encrypted and protected through Microsoft Best Practices, including using multi-factor authentication, secure passwords, antivirus, and using Microsoft Datacenter Server 2019 as our cloud Active Directory for computers. Futures and Options acknowledges and agrees to conduct digital and physical periodic risk assessments and to remediate any identified security and privacy vulnerabilities in a timely manner. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

General Audit Tool

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. GAT Labs provides advanced auditing, security, and management tools that help every Google Workspace administrator gain a detailed overview of what's happening in the domain. To provide this service, PII is needed. We collect and store Personal Identifiable Information (PII) metadata that Google provides to us directly from customers' Google Workspace domains so that the administrator can use for analytical and reporting purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• The data is encrypted at rest and in transit. Security protections include but are not limited to: firewalls, IDS, 2FA strict requirement, executing penetration tests on an annual basis (via external/independent company), using PoLP (Principle of Least Privilege) in access control, security awareness training for all staff, dedicated trainings for developers, having a secure SDLC in place, quarterly vulnerability management and patch management.
• Internal access control is in place, where all access is on a strictly as needed basis to the database level.
• An alerting system is in place that notify the entire management team for any potential access to customer metadata.
• The data is retained for 31 days from the license expiration date and then automatically deleted in full.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Geneva Worldwide

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2019 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Interpretation services for students and parents, including in person and video remote interpretation, where we access student and parent information such as names.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement